File uploads .. Security issue

  • Resolved dakman

    (@dakman)


    3 years, 6 months ago

    So I was cleaning a clients server and noticed imported zip files are stored with 644 permissions in wp-uploads/wpallimport/ with no .htaccess file preventing public downloads!! Also, this persists even if the plugin is deleted (eg the uploads folder) and contents remain intact.

    Yes the file names are long but this is a major risk as it is possible for these files to be downloaded (which may include customer data) if someone is able to find the specific zip file name, public URI and access the specific path.. http://www.example.com/wp-content/uwpallimport/xxxx-mylong-backupname-withdate.zip etc

    Glad I caught this in case somehow google indexed or some how discovered these uploads! Extremely unlikely but just saying someone else/plugin developer might find this helpful in hardening the plugin or their specific wordpress instance!

    • This topic was modified 3 years, 6 months ago by dakman.
    • This topic was modified 3 years, 6 months ago by dakman.
Viewing 1 replies (of 1 total)
  • Plugin Author WP All Import

    (@wpallimport)

    3 years, 6 months ago

    Hey @dakman,

    As long as “Randomize folder names” is enabled in WP All Import’s settings, we use a randomized folder name to store the files; but, you’re correct that you can use a .htaccess file to prevent downloads from those folders if you wish to make certain that nobody can download them.

Viewing 1 replies (of 1 total)

The topic ‘File uploads .. Security issue’ is closed to new replies.