Why can't anonymous users access uploaded files

Last updated on
27 September 2024

This documentation is deprecated.

From: Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003

Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration. This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.

For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.

Learn more

Help improve this page

Page status: Deprecated

You can: