I sent a PM to someone, but I am mainly looking for a response from someone asap and Kier may just be too busy ;p

It seems that the filename upload in the attachment option is parsed for HTML. Someone did some messing around and uploaded (I think) a long file name which executed some little quick java script that opened up a new window and posted a new post titled "I am a monkey." rofl. So whoever read that thread (even though html is off) that script got executed, and I ended up with 50 new threads titled "I am a monkey." While I think it was pretty cool, hehe, I think I need to make sure this is or isn't really a security issue or just the way I've got something setup?

Here's a link to some quick discussion on it:

http://www.pwned.com/showthread.php?s=&threadid=5170
login abc:123

In the meantime I disabled file uploads by removing all allowed upload extensions (Is this the best way?)

My main thing is he's claiming that by doing this he can grab other peoples session IDs and log on as them or something. Spooky! (Although I believe the session ID is only one of like 4 identifiers proving who you are, one of the others being IP address?)

Thanks. ;p These guys are like ninja compared to me.

I'm looking into this now and i think i'll do a quick test with this post.

I believe your suggesting that the actual attachment name isn't being checked and or censored.

Scott

Right. I think the file name itself was java code.

unable to product this error as > is not a valid character on windows or linux, but i've looked over the code and there is no checking to stop people giving invalid names to attachments or censoring in attachments so i'm moving it to the bugs forum for a developer to look at.

This will be patched up in 2.2.6