Possible security concern in this plugin

  • Resolved flomei

    (@flomei)


    10 years, 3 months ago

    It has come to my attention through a WPSE post, that your plugin uses the AUTH_KEY to generate folder names for download links.

    While this might obviously be a problem with illegal characters in the URL, revealing the AUTH_KEY in links might introduce security risks to a WordPress system.

    Could you please tell us, why you chose this way and whether you can think about changing this to a more secure solution?

    Thanks!

    https://ww.wp.xz.cn/plugins/sp-client-document-manager/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author smartypants

    (@smartypants)

    10 years, 3 months ago

    Hey hows it going!

    We totally understand your security concern but we are not able to address premium plugin issues on this forum. If you could go over to http://www.smartypantsplugins.com and submit a ticket we can look into a patch for this issue.

    Thread Starter flomei

    (@flomei)

    10 years, 3 months ago

    This is no “premium plugin issue”, this is security-violating functionality of your plugin, no matter wheter you sell that plugin or not.

    Plugin Author smartypants

    (@smartypants)

    10 years, 3 months ago

    Hello, sorry for the misunderstanding but its against wordpress policy to address premium plugin concerns via this forum. Please submit a forum topic or ticket on our premium site. thanks! http://www.smartypantsplugins.com/

    Plugin Author smartypants

    (@smartypants)

    10 years, 3 months ago

    Hey hows it going, this is now fixed in the premium version. In the future if you have a premium issue please visit out website and submit a ticket. We are very interested in security concerns!

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    10 years, 3 months ago

    I deleted Erik’s post.

    DO NOT submit tickets in the repo for plugins. Jyst … don’t. No one looks at them.

    YES report security issues to [email protected]

    If this issue is with ONLY a premium version, then it belongs in the premium site.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Possible security concern in this plugin’ is closed to new replies.