Feature Request: Multisite file request hardening

  • Hi WP-Cerber-Team,

    it would be great if there was a Hardening option which would check the request to an uploaded content like https://site1.de/wp-content/uploads/sites/1/logo.jpg.
    Here it should take the site ID from sites/1 in the URI and check if the configured domain for that ID (so ‘1’ in this case) is actually part of the requested domain (so https://site1.de in this case). If not a 404 should be generated instead of serving the file.

    This would make it much harder to find information of other sites in a multi site installation (and with that also exploit such information in any way).

    A check like that should be fairly easy in a standalone plugin but obviously it would be great, if would be part of WP Cerber’s Hardening options ??

    Best regards

    • This topic was modified 3 years, 6 months ago by Galfom.
    • This topic was modified 3 years, 6 months ago by Galfom. Reason: formating
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author gioni

    (@gioni)

    Hi! Unfortunately, there is a tiny thing that ruins everything. When it comes to static images, in most cases, they are served by a separate front-end server (e.g., NGINX), so none of the WordPress plugins can monitor any requests to static images. Even if the front-end server is configured to act as a back-end server that processes PHP files, it servers images separately and statically.

    Thread Starter Galfom

    (@galfom)

    @gioni thank you very much for the reply. I was just assuming WordPress would have a sort of download handler built in but since it is WordPress I guess it makes sense that it hasn’t.

    That obviously complicates this feature but maybe still wouldn’t make it impossible (though I really don’t know WordPress well enough to tell for sure). We would need to create a new download handler with that logic and forward all /uploads/ requests to it. But now next to the actual hardening feature logic we also would need to keep performance and security regarding file traversal in mind ourselves and also need to think about the best way to forward the requests (when we would rely on .htaccess it’s not compatible to nginx out of the box).

    Probably that is too much trouble just for a feature like that, though it would also allow more download monitoring and access control for it.

    Anyways, thanks for your effort with WP Cerber in general ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Feature Request: Multisite file request hardening’ is closed to new replies.