[subject renamed] Guessing Folder Names

mastern

New Member
YetiShare User
Apr 24, 2013
56
0
0
#1
Hi Adam!

I can create a bot to retrieve all data on a website running YS with the method below :

//It's not safe this by default.
https://fhscript.com/17~f
https://fhscript.com/18~f
https://fhscript.com/19~f

Same with statistics ~s

// username exists
notification::setError(t("email_address_already_exists", "Email address already exists on another account"));

//I see t

Confidentiality please!!

Regards,
 

paypal1352

New Member
YetiShare User
YetiShare Supporter
Wurlie User
Mar 2, 2012
297
0
0
#2
Re: Confidentiality & security breach

Folder hashes are coming in version 4.3
 

adam

Administrator
Staff member
Dec 5, 2009
1,755
30
48
mfscripts.com
WEBSITE
https://yetishare.com
LOCATION
UK
#3
Re: [renamed] Folder Names

Hi mastern,

It's not exactly a "security issue". If you don't want stats or folders to be public, just set them as private. Guessing the url wont make a difference in this instance.

As paypal1352 says, we'll have hashing soon so you'll have the option to securely share a private folder.

Thanks,
Adam.
 

enricodias4654

Member
YetiShare User
Jan 13, 2015
411
0
16
#4
Well, it is a kind of privacy issue. Most users doesn't pay attention on the privacy settings and the default setting is to make the file public.


If you know something about php, follow those steps to add hashes to folders:


1) Add a field "shortUrl" on the file_folder table. Make it a binary field with 8 bytes and add an unique index to it.

2) Locate the function loadById in the include/fileFolder.class.php.
Change the class declaration to public static function loadById($id, $shortUrl = false) {
Change the line $row = $db->getRow('SELECT * FROM file_folder WHERE id = ' . (int) $id ); to if (!$shortUrl) $row = $db->getRow('SELECT * FROM file_folder WHERE id = '.(int)$id); and add the line else $row = $db->getRow('SELECT * FROM file_folder WHERE shortUrl = UNHEX('.$db->quote($id).')'); just bellow it.

3) Open the file /templates/ajax/_account_edit_folder.process.ajax.php and locate the line starting with $rs = $db->query('INSERT INTO file_folder (folderName, isPublic, userId, parentId, shortUrl) and replace it with this code:

while (true) {

$hash = substr(md5(uniqid().mt_rand(0, 99999)), 0, 16);

if (!$db->numRows('SELECT id FROM file_folder WHERE shortUrl = UNHEX('.$db->quote($hash).') LIMIT 1')) break;

}

$rs = $db->query('INSERT INTO file_folder (folderName, isPublic, userId, parentId, shortUrl)
VALUES :)folderName, :isPublic, :userId, :parentId, UNHEX:)shortUrl))',
array(
'folderName' => $folderName,
'isPublic' => $isPublic,
'userId' => $Auth->id,
'parentId' => $parentId,
'shortUrl' => $hash
)
);

4) Open the file /templates/ajax/_account_edit_folder.ajax.php and add the line $shortUrl = bin2hex($fileFolder->shortUrl); just after the line $editFolderId = $fileFolder->id;
In the form field displaying the folder url, use the $shortUrl instead of the folder id.

5) Open the file /template/view_folder.html. The first 11 lines of this file should be like the following:
<?php
// initial checks
$folderUrl = $_GET['_page_url'];

// make sure it's a public folder or the owner is logged in
if ($folderUrl) {

$fileFolder = fileFolder::loadById($folderUrl, true);
if (!$fileFolder) coreFunctions::redirect(WEB_ROOT.SITE_CONFIG_PAGE_EXTENSION);

$folderId = $fileFolder->id;

In this page there is a form to submit password for password protected folders. In the form action, replace the folder id with bin2hex($fileFolder->shortUrl)

6) You need to edit the javascript of the lateral menu to make the "share folder" link work with the new url. I added the hash in the title attribute and replaced the $('#nodeId').val() to $('#nodeTitle').val() in the javascript. To add the hash in the title, edit the /core/page/ajax/_account_home_v2_folder_listing.ajax.php and replace 'title'=>'' with 'title'=>bin2hex($row['shortUrl']) in the end of the file. Remember to alter the query and add shortUrl. It should start with $rows = $db->getRows('SELECT id, folderName, shortUrl


I guess that's it. I can't post the full files here because my script is completely different from the original yetishare and the files will not work with other installations.

Note that I'm using a field binary(8) instead of a char(16). And numeric field would work as well. This method makes the storage and the indexes 50% smaller. Small indexes have a huge impact on performance. I recommend using this method in all hashes in the script.
 

enricodias4654

Member
YetiShare User
Jan 13, 2015
411
0
16
#5
Whoever use my solution, please test it well. I coded it in the last 15 minutes. It's working in my script, but I didn't test it in the default yetishare script.
 

mastern

New Member
YetiShare User
Apr 24, 2013
56
0
0
#6
@enricodias :
Thanks for this good tips, it is excellent. I will add it in my script.

@Adam :
When i lock the folder to private, all files inside the folder can't be shared. All images for example don't show up on their sharing link. :(
 

enricodias4654

Member
YetiShare User
Jan 13, 2015
411
0
16
#7
I just noticed that using the title attribute to store the folder hash in the lateral menu isn't the best approach, the hash will be displayed if the user moves the mouse over the link. I'm using the attribute "name" instead.
 

mastern

New Member
YetiShare User
Apr 24, 2013
56
0
0
#8
Hello,

I used the core's "hash url generator class" to generate folder url, it is for me the best way as bin2hex or hex is limited to a->f / 0->9. And i choose to not use title => 'hash' but added another attr.

It's work well for me after a huge modification.

Regards,
 

enricodias4654

Member
YetiShare User
Jan 13, 2015
411
0
16
#9
mastern said:
Hello,

I used the core's "hash url generator class" to generate folder url, it is for me the best way as bin2hex or hex is limited to a->f / 0->9. And i choose to not use title => 'hash' but added another attr.

It's work well for me after a huge modification.

Regards,
Adding a strange attribute will make your layout fail in w3c tests. I'm using the "name" attribute.
 

mastern

New Member
YetiShare User
Apr 24, 2013
56
0
0
#10
There is many method to do this (data). And don't worry about W3C as full and latest HTML5 are not supported by W3C and specific CSS3 for modern browser.
 

paypal1352

New Member
YetiShare User
YetiShare Supporter
Wurlie User
Mar 2, 2012
297
0
0
#11
enricodias4654 said:
Whoever use my solution, please test it well. I coded it in the last 15 minutes. It's working in my script, but I didn't test it in the default yetishare script.
epic fail for me, i can't even get set 1 working

1) Add a field "shortUrl" on the file_folder table. Make it a binary field with 8 bytes and add an unique index to it.

i've added the field to the file_folder table but cant seem to get a unique index to it, keeps erroring out in phpmyadmin

Can i just do this with an sql command directly instead of visually

Is this solution v4.3 friendly btw and are existing folders going to continue to work
 

enricodias4654

Member
YetiShare User
Jan 13, 2015
411
0
16
#12
paypal1352 said:
enricodias4654 said:
Whoever use my solution, please test it well. I coded it in the last 15 minutes. It's working in my script, but I didn't test it in the default yetishare script.
epic fail for me, i can't even get set 1 working

1) Add a field "shortUrl" on the file_folder table. Make it a binary field with 8 bytes and add an unique index to it.

i've added the field to the file_folder table but cant seem to get a unique index to it, keeps erroring out in phpmyadmin

Can i just do this with an sql command directly instead of visually

Is this solution v4.3 friendly btw and are existing folders going to continue to work
What error?
 

paypal1352

New Member
YetiShare User
YetiShare Supporter
Wurlie User
Mar 2, 2012
297
0
0
#13
Sorry I dont have too much time to try it again, it was some sort of error in phpmyadmin when attempting to add an index, ill post the exact message when I get a chance, thanks for your help
 
Feb 15, 2019
2
0
1
19
#14
Well, it is a kind of privacy issue. Most users doesn't pay attention on the privacy settings and the default setting is to make the file public.


If you know something about php, follow those steps to add hashes to folders:


1) Add a field "shortUrl" on the file_folder table. Make it a binary field with 8 bytes and add an unique index to it.

2) Locate the function loadById in the include/fileFolder.class.php.
Change the class declaration to public static function loadById($id, $shortUrl = false) {
Change the line $row = $db->getRow('SELECT * FROM file_folder WHERE id = ' . (int) $id ); to if (!$shortUrl) $row = $db->getRow('SELECT * FROM file_folder WHERE id = '.(int)$id); and add the line else $row = $db->getRow('SELECT * FROM file_folder WHERE shortUrl = UNHEX('.$db->quote($id).')'); just bellow it.

3) Open the file /templates/ajax/_account_edit_folder.process.ajax.php and locate the line starting with $rs = $db->query('INSERT INTO file_folder (folderName, isPublic, userId, parentId, shortUrl) and replace it with this code:

while (true) {

$hash = substr(md5(uniqid().mt_rand(0, 99999)), 0, 16);

if (!$db->numRows('SELECT id FROM file_folder WHERE shortUrl = UNHEX('.$db->quote($hash).') LIMIT 1')) break;

}

$rs = $db->query('INSERT INTO file_folder (folderName, isPublic, userId, parentId, shortUrl)
VALUES :)folderName, :isPublic, :userId, :parentId, UNHEX:)shortUrl))',
array(
'folderName' => $folderName,
'isPublic' => $isPublic,
'userId' => $Auth->id,
'parentId' => $parentId,
'shortUrl' => $hash
)
);

4) Open the file /templates/ajax/_account_edit_folder.ajax.php and add the line $shortUrl = bin2hex($fileFolder->shortUrl); just after the line $editFolderId = $fileFolder->id;
In the form field displaying the folder url, use the $shortUrl instead of the folder id.

5) Open the file /template/view_folder.html. The first 11 lines of this file should be like the following:
<?php
// initial checks
$folderUrl = $_GET['_page_url'];

// make sure it's a public folder or the owner is logged in
if ($folderUrl) {

$fileFolder = fileFolder::loadById($folderUrl, true);
if (!$fileFolder) coreFunctions::redirect(WEB_ROOT.SITE_CONFIG_PAGE_EXTENSION);

$folderId = $fileFolder->id;

In this page there is a form to submit password for password protected folders. In the form action, replace the folder id with bin2hex($fileFolder->shortUrl)

6) You need to edit the javascript of the lateral menu to make the "share folder" link work with the new url. I added the hash in the title attribute and replaced the $('#nodeId').val() to $('#nodeTitle').val() in the javascript. To add the hash in the title, edit the /core/page/ajax/_account_home_v2_folder_listing.ajax.php and replace 'title'=>'' with 'title'=>bin2hex($row['shortUrl']) in the end of the file. Remember to alter the query and add shortUrl. It should start with $rows = $db->getRows('SELECT id, folderName, shortUrl


I guess that's it. I can't post the full files here because my script is completely different from the original yetishare and the files will not work with other installations.

Note that I'm using a field binary(8) instead of a char(16). And numeric field would work as well. This method makes the storage and the indexes 50% smaller. Small indexes have a huge impact on performance. I recommend using this method in all hashes in the script.
could you help me install this?