Luciano Passuello
Member
Posted 1 year ago #
Hi, first of all thanks for this great plugin!
When using the data file option (instead of database), I noticed that the data is browseable, which constitutes a big security issue as it exposes the paths of all monitored files.
Just browse to:
http://<domain.com>/wp-content/plugins/wordpress-file-monitor-plus/data/.sc_wpfmp_scan_data
I believe that a properly-configured .htaccess in /data/ should fix this problem.
Hope this is useful!
http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/
Luciano Passuello
Member
Posted 1 year ago #
This .htaccess file does the trick (stolen from WP-DBManager plugin):
<Files ~ ".*\..*">
order allow,deny
deny from all
</Files>
PS: Sorry for reporting a security issue publicly, but I couldn't find a way of privately contacting you.
In normal circumstances a web host shouldn't allow access to '.' files publicly hence why I chose to store the data in a '.' file.
Next version I will include a htaccess file to block access to the '.' files. But also I will put in FAQ to CHMOD the data files so that they are not publicly viewable but editable by PHP.
As for contacting me privately you can get my email from any of the source files of my plugin.
Kind Regards
Scott Cariss
Luciano Passuello
Member
Posted 1 year ago #
That sounds perfect!
Thanks for the quick response, Scott! :)
