What is the security risk posed by uploading ePub files?

  • Hi friends!
    One of my clients wants to sell his PDFs and ePub-formatted books on his WordPress site. But I’ve just learned that wordpress by default will not allow uploading of epub files. reason given: “poses a security risk”

    Then I found two plugins that change WP to allow eoub and mobi mine types. I’m nervous about using one of these plugins because:
    1. what is the security risk for having an epub file in the media library?
    2. the plugins only have 300 and 10 downloads. they are fairly new and only 1 review between them. Also, the first developer’s website is not in English. so I can’t learn about the plugin’s safety.

    I want to know if it is okay (any problems caused by epubs?) to upload these file types. If not, what do people do who want to sell ePubs? If it is okay, are these plugins viable and safe to use?

    Thanks!
    Mary Ellen

    p.s. Client is using WooCommerce for sales and merchant account.

    • This topic was modified 7 years, 8 months ago by musicmegga.
Viewing 4 replies - 1 through 4 (of 4 total)

  • I’m not sure why WordPress blocks those formats, but to be safe you should always block execution of files from the /Uploads directory. It’s a single checked box in Wordfence (which all of your sites should have installed by default, in my opinion.)

    Thread Starter musicmegga

    (@musicmegga)

    Thanks for your response, @ewimsatt

    Is an ePub file an executable file?

    If I enable ePub uploads using one of these plugins, then also add Wordfence and check that setting?

    I am hoping to get more understanding of this issue with further replies from folks here.

    Useful info here about how to allow the upload of .epub files through code added to your theme’s functions.php file (create a backup first!). Check the section titled “Other epub and mobi pit-falls to look out for” and the associated link as this may shed light on the issues surrounding allowing .epub uploads. Also, the folks over at easydigitaldownloads may be able to offer some useful suggestions.

    Moderator bcworkz

    (@bcworkz)

    epub files are essentially an entire website zipped into a single file. Just like there can be malicious sites, there can be malicious epub files. Just like being careful in which websites you visit, one needs to careful which epub files one reads. I’m not sure, but it’s likely that malicious code can be contained within an epub file. Once the file is saved to the server, another process could extract and execute the code. While not risky in itself, it can contribute to an increased risk when other vulnerabilities are exploited. Furthermore, what I do know, is through other mechanisms the end user could be compromised by simply reading a malicious epub file.

    Since WP cannot know how people source epub files, for the sake of safety they are blacklisted by default. The ability for plugins to override this is an intentional provision to allow those that need the capability to still have it.

    Woocommerce supports downloadable products. Such products do not need to be in the media library, they only need to be accessible by PHP. Thus epub files could be uploaded via FTP and sold through Woocommerce without the need for epub media upload capability through a plugin.

    As long as the epub files are self created using established, reliable apps, and the resulting files cannot be subsequently manipulated by other parties, the files are completely safe to upload and to offer for downloading.

    Disclaimer: I am not a security expert. While I’ve presented information to the best of my knowledge, there could be gaps in my knowledge of security issues that pertain to epub files.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘What is the security risk posed by uploading ePub files?’ is closed to new replies.

Tags