Support » Plugin: Simple Download Monitor » PHP Dispatch does send the original URL to the browser!

  • In the download settings say: “PHP Dispatching keeps the download URL hidden.”

    What a bullshit! Really a user deception!

    The browser receives the original URL, where the file is stored. Hot linking is very easy, even for not loged-in users.

    This plugin does not what is says! A really security risk. Never ever use it with sensible documents!

    • This topic was modified 4 months, 1 week ago by thomei.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi,

    The browser receives the original URL, where the file is stored. Hot linking is very easy, even for not loged-in users.

    I have carried out a test and I don’t see the original URL in the browser. Can you confirm there is no conflict in your site with another plugin? Do you use any cache system in your site? Please check the following documentation create-new-post-for-wp-simple-download-monitor and focus on step 4).

    Let me know if the above helps you in any way.

    Thank you

    • This reply was modified 4 months, 1 week ago by mbrsolution.

    @mbrsolution
    I can provide you the evidence, it doesn’t works. But not in public. Can I E-mail to you?

    Please, fix your plug-in or loose it.

    I can just warn other users, about the unsecured behaver of this plugin. As I already did. It’s really a super gau.

    We are looking for other solutions. To trust “Simple Download Monitor” any longer is difficult, because it seams, you don’t take the issue serous. Sorry for the direct words.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, I have submitted a message to the developers to investigate further your findings. In the meantime, we do have an addon hidden-downloads-for-simple-download-monitor that protects your donwloads.

    Kind regards

    • This reply was modified 4 months, 1 week ago by mbrsolution.

    @mbrsolution

    One part of the issue is the lazy error handling of the plugin.

    If dispatch fails, it will fall back to the original URL! (see line 146 in includes/sdm-download-request-handler.php)

    An that point, you should never ever, just fall back to the “common” process. (…if the admin has enabled PHP Dispatch) Display an error message and disable downloading. The visitor of the page should never ever, get the access to the original URL behind. Other ways the PHP Dispatch function is just useless.

    As it is, the admin is in the wrong believe everything is save and working. No error and the download is working. We found the unsecured behaver just by accident.

    Why dispatch fails? I dnon’t know.

    @mbrsolution

    Hi, I have submitted a message to the developers to investigate further your findings. In the meantime, we do have an addon hidden-downloads-for-simple-download-monitor that protects your donwloads.

    Kind regards

    As I told above, it seams, you don’t take the issue serous? Just marketing shit will not be the solution.

    Why should I buy an other plugin, if there is a big security hole, in your free plug-in? Really the wrong time to sell something. Why should we trust you?

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi,

    As I told above, it seams, you don’t take the issue serous? Just marketing shit will not be the solution.

    We do take any findings by users seriously and we appreciate you pointing out this issue. That is why I have submitted a message to the developers to investigate further your findings. Unfortunately I am not a developer and would not be able to troubleshoot your findings.

    Regarding the addon. I wanted to share this addon with you to help you further protect your download files. My apologies if this offended you in any way.

    Kind regards

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.