Files/attachments can be downloaded by anyone without permissions (by using tools like wget)

Added by Stan Thorovsky almost 11 years ago

Considering that our Redmine requires authentication to access any projects it strikes me as a security hole that anyone in the world can download any files/attachments by parsing the correct URL (e.g. https://example.com/attachments/2/private_document.txt).

Since in "Roles/Permissions" Redmine allows to specify 'View Documents/Files" permission I would expect only users with that permission granted to be able to get to files and not the whole world.

Is possible to change this on our end? Should I report it as a bug?

Thanks for any help

Replies (5)

RE: Files/attachments can be downloaded by anyone without permissions (by using tools like wget) - Added by Felix Schäfer almost 11 years ago

Stan Thorovsky wrote:

Since in "Roles/Permissions" Redmine allows to specify 'View Documents/Files" permission I would expect only users with that permission granted to be able to get to files and not the whole world.

The View Documents and View Files permissions refer to documents written in and files uploaded to the Document and Files modules, not all attachments. Attachments should have the same visibility as the things they are attached to.

RE: Files/attachments can be downloaded by anyone without permissions (by using tools like wget) - Added by Stan Thorovsky almost 11 years ago

Thank you for your reply, Felix.

However I'm not sure if you understood the issue at hand. My point is that ANY file that we upload as "Files" or add to "Documents" can be downloaded by ANYONE in the world by parsing the URL directly - regardless any permissions or the fact that site requires authentication to access. Sure that 'anyone' would have to know the URL first but it is an incredibly weak protection.

Here is an example of URL that is a file in a private project in "Files" on a site that requires authentication and does not have anonymous users:

https://redmine.example.com/attachments/download/18/secretmemo.pdf

And all I need to download it is to open a terminal and type 'wget https://redmine.example.com/attachments/download/18/secretmemo.pdf'.

This behaviour does not seem secure to me - quite the opposite.

So is it an issue with our particular installation or should I report it as a security hole?

RE: Files/attachments can be downloaded by anyone without permissions (by using tools like wget) - Added by ahsan akhter about 9 years ago

Yes,I have the same issue,It is required to read-only users just view the documnet on redmine pages NOT download and view.

(1-5/5)