WordPress.org

Ready to get started?Download WordPress

Forums

Job Manager
Uploaded CV Security (10 posts)

  1. Jason Judge
    Member
    Posted 3 years ago #

    The whole plugin looks great, and is well organised and functionally hits the nail on the head.

    One thing though: uploaded CVs are placed into the public upload area, and are not protected in any way (e.g. the original filename is retained). Uploading a CV, I was able to download it from another browser when not even logged in.

    The CVs need to be protected behind a security fence so that only administrators (or whatever role manages the job applications) can download them.

    -- Jason

    http://wordpress.org/extend/plugins/job-manager/

  2. Jason Judge
    Member
    Posted 3 years ago #

    Just to be clear on this, the job manager does provide its own URLs to the uploaded CVs, and they are protected, e.g.

    http://example.com/jobman_app/application/attachment/cv-filename/

    Without privileges, the user gets a 404.

    However, when clicking on the download link there, WP redirects to the media centre URL to download the actual document, e.g. on my network-enabled WP site:

    http://example.com/content/blogs.dir/1/files/2011/05/cv-filename.pdf

    It is this URL that is not protected. A bit of trial-and-error is likely to uncover some CVs (mycv.doc anyone?), and knowing WordPress, it is only time before some other module stucks all the direct CV URLs into a sitemap.

    This is a really nice job board though, so this is something that is well worth fixing.

  3. Gary Pendergast
    Member
    Plugin Author

    Posted 3 years ago #

    The issue here is that Job Manager uses WordPress' built in media system, which has no concept of private/public files. (This is being discussed here: http://core.trac.wordpress.org/ticket/17255 )

    The problem with implementing a fix for this is that there is no lightweight way to authenticate a user.

    While I understand the concern, I think this can be considered a low risk for the time being. Guessing the filename of a specific CV (as opposed to a random CV) would be quite tricky, and would only yield information that is already usually publicly available. (Ie, through LinkedIn.)

  4. Jason Judge
    Member
    Posted 3 years ago #

    Hmm, I'll have to disagree on this being a low risk, because there are so many doors that can expose the media on WordPress in an uncontrolled way. It is something that people need to be aware of and treat appropriately.

    Personal information can be put in CVs that absolutely should not be made public. There are privacy laws (in the EC) that come down heavily on companies not treating this seriously.

    Now, it is great that this plugin is using built-in WordPress functionality (it is one thing that draws me to it as a quality piece of software). I wonder if there are other plugins that can handle privileges within the media section? Or maybe there is a way for Job Manager to specify an alternative upload location? I'll have a dig around myself and see if anything catches my eye.

    Yeah, WordPress is a CMS that makes a lot of things easy compared to some other CMSs, but its whole reason for being is for publishing stuff to the world, and so it does lack a certain amount of privilege framework. So it does make some things more difficult to protect and hide. It is not something that should be dismissed though. IMO it does need sorting, but I am at a loss to suggest how to sort it at this stage.

  5. ablova
    Member
    Posted 3 years ago #

    If anyone finds a way to solve this please share!!

  6. ablova
    Member
    Posted 3 years ago #

    By the way is it posible to change the upload folder??

  7. Kelley Reed
    Member
    Posted 3 years ago #

    You can password protect your uploads folder. It would require anyone going to the specific resume URL to have a WP log-in to view the information. It's a simple change to your .htaccess file:

    After:
    RewriteBase /

    Insert:
    RewriteCond %{REQUEST_URI} ^.*uploads/.*
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
    RewriteRule . /wp-login.php?redirect_to=%{REQUEST_URI} [R,L]

    Before:
    RewriteRule ^index\.php$ - [L]

    I hope this information helps! :)

  8. Jason Judge
    Member
    Posted 3 years ago #

    @Kelly - that's a useful technique, but does it not rely on the "wordpress_logged_in" cookie being created by the WordPress installation? The problems I see are:

    * This technique assumes that if the cookie exists, then the user is logged in. Since a user can create any cookie they like, they could simply create the cookie and get through this check.

    * The check does not distinguish between different roles for users logged in. It assumes that ANY logged in user has access to all the uploads. This includes users that have registered to upload a CV and so get access to other users CVs.

    I think the way to do this is to redirect ALL upload URLs through a script that checks the roles the user has. The difficulty is the way the CVs are mixed in with all other uploads, including images and other documents that should be freely available to anonymous users.

    Thanks for sharing - it is a step towards finding a solution, which may involve a separate plugin to secure uploaded files according to roles.

    -- Jason

  9. danbrady
    Member
    Posted 2 years ago #

    The Zartis job plugin looks interesting: http://wordpress.org/extend/plugins/zartis-job-plugin/ although their site is thin on info, it does claim to have CV upload.

    A more heavyweight (and paid) option is Jobroller which is a full job board inc CV upload and a searchable CV index: http://www.appthemes.com/themes/jobroller/

    I have no idea how secure either option is.

  10. wibbsy
    Member
    Posted 2 years ago #

    The CV security is a big risk, particularly for businesses in the EU due to stringent data protection regulations.

    I also saw a post in the forum where google had crawled through the upload directories and was returning the cv as a google search result?

    In terms of fixing, yes you can change you .htaccess and robots file for the search engines but the open access of the storage is a significant issue.

    Is there scope for a separate protected folder within the plugin directory that can store the CVs? In the same way that S2 member plugin restricts file access and downloads? (both on single and multi-site installations)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic