There's an security issue in prosody-filer versions < 1.0.1 which leads to unwanted directory listings of download directories.
An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/ (or the corresponding user defined root dir)
Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.
If you're using the alternative Nginx configuration to let Nginx serve static files, make sure to set autoindex off; in your config:
location /upload/ {
if ( $request_method = OPTIONS ) {
[...]
}
root /home/prosody-filer;
autoindex off;
[...]
}
There's an security issue in prosody-filer versions < 1.0.1 which leads to unwanted directory listings of download directories.
An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than
/upload/(or the corresponding user defined root dir)Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.
If you're using the alternative Nginx configuration to let Nginx serve static files, make sure to set
autoindex off;in your config: