[Plugin: WordPress File Monitor Plus] Data files browseable | WordPress.org

Resolved Anonymous User 388516
(@anonymized-388516)

12 years, 11 months ago

Hi, first of all thanks for this great plugin!

When using the data file option (instead of database), I noticed that the data is browseable, which constitutes a big security issue as it exposes the paths of all monitored files.

Just browse to:
http://<domain.com>/wp-content/plugins/wordpress-file-monitor-plus/data/.sc_wpfmp_scan_data

I believe that a properly-configured .htaccess in /data/ should fix this problem.

Hope this is useful!

http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/

Viewing 3 replies - 1 through 3 (of 3 total)

Thread Starter Anonymous User 388516
(@anonymized-388516)

12 years, 11 months ago

This .htaccess file does the trick (stolen from WP-DBManager plugin):

<Files ~ “.*\..*”>
order allow,deny
deny from all
</Files>

PS: Sorry for reporting a security issue publicly, but I couldn’t find a way of privately contacting you.

Plugin Author Scott Cariss
(@l3rady)

12 years, 11 months ago

In normal circumstances a web host shouldn’t allow access to ‘.’ files publicly hence why I chose to store the data in a ‘.’ file.

Next version I will include a htaccess file to block access to the ‘.’ files. But also I will put in FAQ to CHMOD the data files so that they are not publicly viewable but editable by PHP.

As for contacting me privately you can get my email from any of the source files of my plugin.

Kind Regards

Scott Cariss

Thread Starter Anonymous User 388516
(@anonymized-388516)

12 years, 11 months ago

That sounds perfect!
Thanks for the quick response, Scott! 🙂

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘[Plugin: WordPress File Monitor Plus] Data files browseable’ is closed to new replies.

In: Plugins
3 replies
2 participants
Last reply from: Anonymous User 388516
Last activity: 12 years, 11 months ago
Status: resolved