Webform Frequently Asked Questions
- Differences between the Webform module and Contact module
- How to enable the public file system for the webform file upload element
- How to use composer to install libraries for the Webform module
- What Drupal 7 Webform related projects have been incorporated into the Webform module for Drupal 8
- What to do about deprecated external libraries in Webform 6.x+
- Why are Webform elements stored as a plain text strings when exported into configuration files.
- Why can't anonymous users access uploaded files
Why can't anonymous users access uploaded files
This documentation is deprecated.
From: Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003
Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration. This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.
For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.
Help improve this page
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion