Support » Plugin: Visual Form Builder » file uploads unprotected (security issue)

  • Resolved Marcel Jong

    (@mfjtf)


    We had a privacy / security issue where CV’s were uploaded via the “File Upload” field. Because the SEO module started communicating the attachments via the sitemap to search engines these CV’s we indexed!

    How can this security problem be solved? How can the file uploads be protected?

Viewing 2 replies - 1 through 2 (of 2 total)
  • @mfjtf I am not associated with this plugin…. but, you should report security issues privately, to give the supplier an opportunity to fix them before attackers start exploiting them.

    But since this is now public, we may as well carry on.

    This appears to be a problem on every install:

    – If you have VFB and directory browsing enabled, anyone can see everything at /wp-content/uploads/vfb/

    – Even without directory browsing, lots of attachment names are guessable. E.g. there’s likely to be a csv.pdf or csv.doc in there most months.

    – And then Google ‘inurl:wp-content/uploads/vfb’ (and add a site: tag if you want to target a particular site). That’ll get anything that has directory indexing, or that some SEO plugin helpfully submitted to Google for you.

    Solutions:

    1) Add to your robots.txt to tell :

    User-agent: *
    Disallow: /wp-content/uploads/vfb/

    N.B. This tells the world that you’re using VFB and that interesting stuff is in that directory. So don’t *only* do that.

    2) Add password protection on the directory so that only authorised people can access it. Use .htaccess or whatever is appropriate for your webserver.

    To fix this in the plugin, the author should use WP’s facility to append to the default robots.txt file, and show the user a big warning about adding password protection if there is none (the admin dashboard can easily make a back-end HTTP request and see if it gets through). And/or put in a default .htaccess (plus warning for non-Apache users) that blocks all access, and instead make accesses go via an authenticated path that checks credentials (e.g. require admin login).

    Possibly also the plugin author can hook in to the most popular SEO plugins to tell them to exclude things from the VFB directory.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘file uploads unprotected (security issue)’ is closed to new replies.