Just found out that Oxwall simply saves attachments to comments using the following rule: attach_xx.ext, where xx is a number and ext the file extension. Problem is that you can simply go to any Oxwall website and look at the ow_userfiles/plugins/base/attachments/attach_xx.jpg folder and access pictures that shouldn't be available publicly.

Here's an example, from the Oxwall Demo site:

http://demo.oxwall.org/ow_userfiles/plugins/base/attachments/attach_1.jpg

As a workaround, here's what I did.

Open ow_system_plugins\base\controllers\attachment.php

Replace:

$fileName = 'attach_' . $attachDto->getId() . '.' . UTIL_File::getExtension($_FILES['attachment']['name']);

With:

$addDatetime = time();

$fileName = 'attach_' . $attachDto->getId() . '_' . $addDatetime . '.' . UTIL_File::getExtension($_FILES['attachment']['name']);

Hope this helps!  :)