Security trouble through url

  • Resolved hiherao

    (@hiherao)


    12 years, 8 months ago

    Hi, I’m trying the SP Client Document at your demo site and I noticed that if you put directly the download file url to the browser
    http://smartypantsplugins.com/wp-content/plugins/sp-client-document-manager/download.php?fid=XXX
    and then you change the last parameter the file ID, you can download files from other users.
    It happens the same when you are logged in as a registered user. I found this problem in my website once I updated to the trial premium version.
    Is this the normal behaviour? or is a security trouble?.

    http://ww.wp.xz.cn/plugins/sp-client-document-manager/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author smartypants

    (@smartypants)

    12 years, 8 months ago

    Hi there, to fix this all you need to do is enable the “Require Login to Download?” Option

    Thread Starter hiherao

    (@hiherao)

    12 years, 8 months ago

    I have enabled this option and yes when you request this url the system requires to introduce a registered user and password. But if you request the same url but you change manually the file id at the end of the url, you can download files from other users. Please try to make this step, I think it’s an important issue.
    http://smartypantsplugins.com/wp-content/plugins/sp-client-document-manager/download.php?fid=XXX (where XXX is the file ID a numeric value)

    Plugin Author smartypants

    (@smartypants)

    12 years, 8 months ago

    Hi Hiherao,

    I just released an update that fixes this issue. The URL is now encrypted with no chance of guessing the URL.

    Thread Starter hiherao

    (@hiherao)

    12 years, 8 months ago

    Perfect! you have done a good fix, now the system is more secure.
    Congrats!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Security trouble through url’ is closed to new replies.