Security Flaw in DownloadController.cs: Vendor can download any Download file by Id

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
10 years ago
I might be wrong here, so please sorry if this is a mistake. In Admin DownloadController.cs there is a method to download files by id which is really unsecured.

At the moment we only have the attribute: [AdminAuthorize] which will also give access to Vendord to download any file.

There should be a way to validate that this method should only be accessed by users in the Role Administrator.
I blog at carlosmartinezt.com and vote up if it helped *__*
2
10 years ago
Hmm. You're absolutely right. But if we limit this method to the administrators role, then vendors won't be able to upload (then download) files for downloadable products because we cannot load (find) a product by "download" entity

I've just created a work item but I'm not sure how to fix it yet. Maybe, download files by GUID (not ID)
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
10 years ago
What about some sort of ACL on the Download?  You can download it if you uploaded it or you're in the Administrators group (or whatever role is chosen).
StackOverflow - http://stackoverflow.com/users/113988/andymckenna
https://github.com/AndyMcKenna
0
10 years ago
Fixed. Please see changeset f586c59055e4
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.