No announcement yet.

vB3.5 and Attachment Security

  • Filter
  • Time
  • Show
Clear All
new posts

  • vB3.5 and Attachment Security

    Please allow me to ask a question that has been touched on but as near as I can tell, not specifically for 3.5. I need to sure of this for a new site.

    I wish to allow only paid subscription members to download attachments which will be 10MB to 50MB files of a type which are often targeted by hackers. I intend to accomplish this through the built in usergroup forum and attachment permissions.

    Question 1: Security. Is there any way for common hackers to break into attachments and grab them? I understand no system is crack-proof but need a reasonable level of security to block the amateur attempts and be certain no one can download them through a direct URL link shared by a member with permissions.

    Question 2: Will 50MB attachments be a problem? I can't imagine how but again, need to be sure. I will take care of server storage and bandwidth.

    Thank you.

  • #2
    1. Are you storing attachments in the file system or database?

    2. Yes, those sizes can be quite a problem to upload with a PHP script. In fact, I would be surprised if you can do this.

    In addition to the vB settings, the allowed size of the attachments depends on the PHP and MySQL configuration. You may need to check and change the upload size for both PHP and for MySQL. Note, you'll need to have root access to the server to do this (or have your host do it.) Make these changes to php.ini:

    upload_max_filesize = xM

    ..and my.cnf (or my.ini for Windows systems)


    Change it to the size ('x') you want in Megabytes. Restart the webserver and MySQL after making these changes.

    Also you might want to take a look at this for other settings that affect file uploads:
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography

    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    • #3
      1) If you store attachments in the File System, make sure the directory in which you are storing them is OUTSIDE the web root. Doing that will prevent unauthorized users from accessing them. With lots of (large) attachments, you don't want to store them in the database anyway, but that would be just as secure.
      vBulletin v3.8.0's Implementation of Google Adsense Should Be Avoided At All Costs - Do Your Own Adsense Implementation


      • #4
        Have you considered setting up a private FTP site which can be browsed as a companion to your forum?


        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.