Sorry, what a pain, right? I notice that you’re not changing the uploaded file’s filename at all, and are just storing it in the uploads folder. Doesn’t this open up a massive vulnerability, since you’re letting anonymous users upload a file, possibly spoofed, and then immediately access that file, now on the server, in an easily guessable location?
What if the uploaded file were a webshell?
Okay, you enforce a file extension check, but I don’t know if that’s a 100% guarantee against an executable upload.
Please note the relatively recent vulnerability that struck MMForms, and is the reason that plugin is now blacklisted on many sites.
My recommendation is to hash the filename, or at least create a new folder for each upload with an unguessable, unique hash. That way an anonymous user can’t just upload a file and then access it immediately without any verification / validation at all. hackers notwithstanding, imagine someone (ab)using the upload form to upload questionable material and then immediately guessing and posting a link to that material to a file sharing site? Suddenly your plugin’s admin is unwittingly hosting a shared file without even knowing it!
Something to consider. You may want to simply remove the file upload field for now until you have that issue addressed.
- The topic ‘[Plugin: Visual Form Builder] File upload vulnerability?’ is closed to new replies.