Security bug !!! users see the complete url with OPEN file

  • Resolved Dieter Schummer

    (@ds888)


    3 years ago

    Hi,
    the plugin has no distinction between DOWLOAD and OPEN files.
    On DOWLOAD the users doesn’t see the file URL – that’s ok, but on OPEN the users see the file URL!!!

    At the moment we can only enabled/disabled operations with the following restrictions:

    Make Directory
    Make File
    Rename
    Duplicate
    Paste
    Archive
    Extract
    Copy
    Cut
    Edit
    Delete
    Download
    Upload
    Search
    Info
    Empty
    Resize

    We have all restrict until download. And with the DOWNLOAD the users can also OPEN the file.

    Our main problem is that the users then still see the COMPLETE URL on OPEN file!!!

    I think the plugin should differ between DOWNLOAD and OPEN in the user restrictions!?

    Thansk & Regards

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter Dieter Schummer

    (@ds888)

    … 2 weeks later we have the following email from plugin support:

    “Thanks for being patient.

    We are operating in GMT(+5:30). Please share a convenient time on Monday to set up a meeting with you to fix the issue at your end.

    Our support team is available from 10:00 AM to 6:00 PM GMT(+5:30) (Monday to Friday).

    We have checked and fixed the issue at our end so we need to check and make some changes on your end,

    Regards,
    Support Team-File Manager Pro”

    I think this is not a special problem in our environment and such a security fix should be solved asap with a plugin update …

    Thread Starter Dieter Schummer

    (@ds888)

    … any news or timeline for the fixing ?

    Thread Starter Dieter Schummer

    (@ds888)

    … any news or timeline for the fixing ?

    is it fixed ?

    Thread Starter Dieter Schummer

    (@ds888)

    @nouniz
    sorry, no

    @support Team-File Manager Pro
    … any news or timeline for the fixing ?

    Hello,

    I seen your subject about security.

    I would like to create “private folder” by user with this plugin but i seen that plugin create automaticaly folder by user in “wp-content/uploads/wp-file-manager-pro/users” but there is security fail ! If one user follow the URI : “https//mywebsite/wp-content/uploads/wp-file-manager-pro/users” that user can see ALL folder /user without restriction. Have you the same problme ?

    Thread Starter Dieter Schummer

    (@ds888)

    I think that’s also an other security problem.

    Strange that the support hasn’t been in touch for weeks although a hotfix has been promised ??

    Maybe we have to look for an alternative implementation or plugin …

    Hi Dieter @ds888

    Is your issue related to the free or the pro version of the plugin?

    I’d like to know how I can reproduce the issue. Can you send me a quick step-by-step instruction?

    I am just a user of the wp file manager plugin as well but like to see if my systems are affected by this issue. I am a developer, so I might be able to implement a fix then.

    Btw. As general advice, (in my opinion) the file manager plugin should not be made available to non-admin users.

    The potential risk is high that someone without admin access can use the file manager to get read/write access to WordPress core or plugin files. That could happen due to a bug in the plugin itself or in the original library named “elFinder” that the wp file manager plugin is based on. jm2c

    The wp file manager plugin is excellent, and I love it, but it should be handled with care and some precaution because it’s such a powerful tool.
    “With great power comes great responsibly.”

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Security bug !!! users see the complete url with OPEN file’ is closed to new replies.