Support » Plugin: Contact Form 7 Database Addon - CFDB7 » Files uploaded via this plugin are public!

  • Hello everyone. I’m writing this because I believe it’s important to everyone, something of public interest I would say.

    I wrote to the author of the plugin via their support form here to report something that has already been reported by another user.

    In few words: the files uploaded via a contact form with this plugin installed are stored in a folder and they are public.

    The author of the plugin answered saying that it was a server issue (?!?) and after that (and after some of my dubious answer) he started to provide some solutions and an update of the plugin which basically prevent the indexability of that folder by inserting an index.php file in the folder in question. This at least fixed that aspect. Which is good.

    But when I insisted telling that the files inside the folder were still public, he started answering something like “You can reach those file because you know the file name and timestamp. But hackers can’t understand filename and timestamp.” or “File name is changing. We are prepend time stamp in file name. Hackers can’t understand file name.” and that “I was not thinking logically“.

    Which is also true, because the names of the files you upload are prepended with a timestamp.

    But IMHO this is not the right way to approach security and privacy. And I would also say customer care, but that’s another topic. I don’t want to put the privacy of my users and the data they gave me (CVs, IDs, pictures…whatever) at stake because “hackers can’t understand filename and timestamp” while I’m sure other solutions are out there to prevent the public to access that file, no matter what’s the name of it.

    To give you another example, I’ve wrote to the support team of Webba Booking for a similar issue…well look at how they tackled it. A whole different story.

    GDPR (and other similar privacy laws out in the World) is very clear stating “Privacy by design”, protect data with strong security systems, do not assume data will take care of itself etc.

    Last but not least, I’m concerned about the fact that I can’t find any mention to this in the plugin documentation. At least…inform us about it! Do not let it be a nice discover of a random day.

    In conclusion, personally I will immediately unistall this plugin. I’m sad because it’s a great plugin, very useful. But I don’t want to sacrifice privacy of my users to usefullness.

    Hope this can help others.

    Best regards

    • This topic was modified 4 months, 3 weeks ago by scoutingnow.
    • This topic was modified 4 months, 3 weeks ago by scoutingnow.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Arshid

    (@arshidkv12)

    This issue fixed by adding index.php in uploads folder.

    Thread Starter scoutingnow

    (@scoutingnow)

    As you know well…it’s not fixed at all!

    Files inside the folder are still public!

    Plugin Author Arshid

    (@arshidkv12)

    Understand basics of security. Install security plugin also like wordfence.

    Thread Starter scoutingnow

    (@scoutingnow)

    Just a quick recap.

    Context: I’m the user. You’re the developer.

    1 year and 11 months ago: a user told you here that the folder and its content were public and indexed. So you can easily find them on Google. After treating him with the same attitude you’re treating me (but that’s a problem we can’t tackle here), blaming “the server configuration” and proposing useless solution…you did nothing.

    This means that: since your plugin was published (I think 2017), all the files uploaded via your plugin were public and easily reachable via a Google search.

    05/10/2020: another user (me) wrote you for the same question. After the usual blame “on the server configuration” and useless solutions you decided to release an update which finally prevents the files uploaded via your plugin to be indexed.

    This means that: from 2017 until 06/10/2020 the files uploaded via your plugin were indexed, public and visible. All this without the users being aware of it.

    But I’m the one who have to understand the basics of security. LOL!

    P.S. While I learn them, try to learn the basics of privacy and Data Protection. We could both profit out of this.

    Plugin Author Arshid

    (@arshidkv12)

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.