Security Issue: Attachments uploaded to Expense Claims Visible to public

David_Liu · March 28, 2016, 11:58pm

Hi there,

It seems people with the direct link can download / view attachments that would have been otherwise not shown to users.

For example, if you uploaded an attachment to EXP00001 and the direct link to the file becomes

http://192.168.0.1/files/EXP00001-Attachment.pdf

Anyone who knows the above URL would be able to access the attachment directly without any authentication. Suggest to check sessions when accessing the /files/ and also check the user’s permission to whether he/she has access to that specific record, e.g. expense claim.

Tested on ERPNext: v5.6.2

rmehta · March 29, 2016, 5:04am

Already fixed in the latest with private files.

PeterDF · July 18, 2016, 12:50pm

So does marking an attachment as private mean that it is only available to the submitting user, or does it mean that it is available to any authenticated user?

spa · July 18, 2016, 4:35pm

Hi @PeterDF,

as far as it was any authenticated user that has the right to view a document and it´s attachments by permission rules