Attached support files are publicly viewable.

  • Resolved Corey Kretsinger

    (@corey-kretsinger)


    7 years, 1 month ago

    The files being uploaded to support tickets are publicly view-able. This is a security risk, as all kinds of info could be uploaded to a support ticket. It’s also a privacy issue since clients aren’t going to want their files to be view-able/index-able.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter Corey Kretsinger

    (@corey-kretsinger)

    The link above is to a file I uploaded through the support panel as another user.

    Plugin Author smartcat

    (@smartcat)

    This is default WordPress behaviour, media is directly accessible with a URL.

    You can block access in various ways, such as .htaccess, or there are also plugins that block direct access to files, and you can probably even specify file-types.

    But yeah this is the same case even for very popular e-commerce plugins, such as Easy Digital Downloads.
    Purchasable items are publicly downloadable by URL, by anyone who has a URL.

    Regarding indexing, you can again use plugins to prevent indexing the support_uploads folder, or the uploads folder all-together.

    • This reply was modified 7 years, 1 month ago by smartcat.
    Thread Starter Corey Kretsinger

    (@corey-kretsinger)

    Is there a way to change the folder these files go into so one could protect just that folder and not block access to the entire uploads directory?

    EDD uses a special folder and blocks it with .htaccess

    https://docs.easydigitaldownloads.com/article/194-are-download-files-protected

    Nice plugin. I want to buy the upgrade, but need to make sure it’s going to work for my purposes.

    Thanks for all of your responses.

    ~ Corey

    Plugin Author smartcat

    (@smartcat)

    ill definitely look into file protection. My thought was not to meddle with people’s server config, as each plugin user has different use and requirements. however yeah it would be a nice option to give, i probably wouldn’t force protection by default, but perhaps have an option in the settings allowing users to turn on file protection.

    For the time being, the approach would be for the user to add the rules to their server, ill add a knowledge base article about that.

    thanks!

    Thread Starter Corey Kretsinger

    (@corey-kretsinger)

    Thanks. Will keep an eye out in case you implement this.

    Blocking all media isn’t an option for me. Would be terrible for SEO.

    Thanks again.

    ~ Corey

    Plugin Author smartcat

    (@smartcat)

    Can you not just block access to only the uCare uploads folder ?
    /wp-content/uploads/support_uploads/

    Plugin Author smartcat

    (@smartcat)

    FYI: https://github.com/smartcatdev/support-system/issues/314

    Thread Starter Corey Kretsinger

    (@corey-kretsinger)

    Ha! Yeah, that shouldn’t be a problem. Should have looked to see if you had a special folder via FTP. I didn’t do that. Saw it show up in my media library and thought it was just going into normal upload folders.

    You can see I was misguided in my question from above

    Is there a way to change the folder these files go into so one could protect just that folder and not block access to the entire uploads directory?

    This should work just fine.

    Thanks!

    ~ Corey

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Attached support files are publicly viewable.’ is closed to new replies.