开源版3.8.3存在未授权访问漏洞 #2077
Comments
|
Hi there, This feature is by design and not a bug. You can limit the new user register in the admin panel, and change the share link to private (or named using password) so that those share link wont be shown in the search result, to protect your file. Also, if you want better way to hide the share link, and without set a password, you may edit some of the source code of cloudreve and then build and install it; or turn to some contributor for dev. Thanks. |
|
您好开发者,我知道您当初设计可能是这样,但是这是在设置过后才能有的效果,若管理员不对这些进行限制,默认情况下是否符合配置错误导致的漏洞呢?请开发者在后续版本中更新这个问题,可以吗,否则互联网上使用这个组件的网站会有更多的机密文件因安装这个组件所导致的泄露问题 |
|
Hi, The search of public share file/folder without login is by design and this is not a bug and currently it cannot be turn off manually by admin. For secret files, you should set a password for the share and then this wont be searched anymore. Thanks. |
|
...很明显这是设计的,而且人家已经说了可以在后台关闭 |
|
实际上你的问题可以通过关闭新用户注册并把 |
默认配置下;管理员或者用户在上传文件后创建链接分享的内容,导致任意用户分享的文件访问下载,可能导致敏感文件的泄露,默认配置下,任意用户可以对云盘进行注册,并上传文件;若公司使用了该组件进行存储文件,则会导致公司私密数据泄露
修复建议:
未注册用户,无下载权限,私密数据设置保密箱需要秘钥才能进行访问,对未注册已注册用户权限进行限制
案例:
在搜索框输入任意字符进行测试
发现存在该字符的文件,并且可以进行下载
点击下载,是可以进行下载的
The text was updated successfully, but these errors were encountered: