WordPress.org

Ready to get started?Download WordPress

Forums

WordPress File Monitor Plus
[resolved] Data files browseable (4 posts)

  1. Luciano Passuello
    Member
    Posted 2 years ago #

    Hi, first of all thanks for this great plugin!

    When using the data file option (instead of database), I noticed that the data is browseable, which constitutes a big security issue as it exposes the paths of all monitored files.

    Just browse to:
    http://<domain.com>/wp-content/plugins/wordpress-file-monitor-plus/data/.sc_wpfmp_scan_data

    I believe that a properly-configured .htaccess in /data/ should fix this problem.

    Hope this is useful!

    http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/

  2. Luciano Passuello
    Member
    Posted 2 years ago #

    This .htaccess file does the trick (stolen from WP-DBManager plugin):

    <Files ~ ".*\..*">
    order allow,deny
    deny from all
    </Files>

    PS: Sorry for reporting a security issue publicly, but I couldn't find a way of privately contacting you.

  3. Scott Cariss
    Member
    Plugin Author

    Posted 2 years ago #

    In normal circumstances a web host shouldn't allow access to '.' files publicly hence why I chose to store the data in a '.' file.

    Next version I will include a htaccess file to block access to the '.' files. But also I will put in FAQ to CHMOD the data files so that they are not publicly viewable but editable by PHP.

    As for contacting me privately you can get my email from any of the source files of my plugin.

    Kind Regards

    Scott Cariss

  4. Luciano Passuello
    Member
    Posted 2 years ago #

    That sounds perfect!
    Thanks for the quick response, Scott! :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic