WordPress.org

Forums

Visual Form Builder
[resolved] security concerns for file uploading system (4 posts)

  1. prokopino
    Member
    Posted 3 years ago #

    greetings from greece.

    your plugin is Great, i just start to using it but a have one concern and i must have your answer before start using it in my working site.

    my concern is about uploading files folder.
    first of all, i must change the folder of uploading for keeping all files organized.

    form time to time and because hosting limits, maybe i want to delete all the attachement sent the users to me.

    if the folder is the common folder and i want to delete all of the attached files, how can i found them if there are not in a common folder, with maybe 500, 1000 other files uploaded from me?

    another concern is that: its file a user sent to me, if i choose to sent him a confirmation email, he know the link of his file on my server! the confirmation email he deliver, has this link!

    this is in my opinion wrong, he must know only the name of the file sent to me, NOT where this file stored in my server! this must be hide asap!!

    thank you for your time, thank you for your plugin,
    prokopis, greece

    http://wordpress.org/extend/plugins/visual-form-builder/

  2. Matthew Muro
    Visual Form Builder Pro
    Plugin Author

    Posted 3 years ago #

    Here's a tutorial on how to customize the upload directory.

    As for the link getting sent to your user, that's not a big concern. It's no different than someone viewing a photo on your site -- they have the link to the file on your server.

  3. prokopino
    Member
    Posted 3 years ago #

    thank you for your answer.
    for the info page, can you plese tell me where i must palce this code?
    i must just add this or i must change some other part o code?

    as or the link getting to users, i think this is not like the link o images in our sites, because these image WE ARE THE ONLY ONE publish them!

    If a user knows that it is posible to store a file is our server and is this file accesible, maybe he can camouflage a file with a valid extension and voila! he has access!

    the is no need for the user, visitor of our site to know that the file is sent to us, is stored to our server! we need to hide this think, we need to hide the link!

    the only think it need to know is the name of the file sent to us OR the link in his pc, NOT the link to OUR server!!!

    So, i think you MUST change this, you must must by default hide his or give it as an option.

    this is my opinion, your plugin is really great, but this is a possible gate for someone to hack our site.

    thank you again, prokopis, greee

  4. Matthew Muro
    Visual Form Builder Pro
    Plugin Author

    Posted 3 years ago #

    The way that the File Upload works in VFB is pretty secure. It uses internal WP functions and when a file is uploaded, it writes those files using the user account not the server account (exactly the same way as when you install a plugin or update WordPress). Also, the types of files uploaded are restricted and need to be explicitly overridden with the upload_mimes hook.

    If you are truly concerned about it, then don’t use the file upload field.

    Simply changing the extension is not a magic "voila! access!" hack. I do not plan on changing the behavior of the file upload.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Visual Form Builder
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic