Support » Plugin: File Away » Security issue with intranets still there

  • Resolved hr61369256

    (@hr61369256)


    It is still possible to download content of a site, organized as intranet. Means where all pages are only reachable as logged-in user. But the content organized with FileAway is always reachable, despite if you are logged-in or not. Okay, you have to guess the exactly url of a document before you can download it. But it is a security hole which might be used for illegal downloads.

    Tom, is there a working solution within FileAway? … may be already on its way?

    Thank you,
    Ralf

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author thomstark

    (@thomstark)

    This is not an “issue” with File Away. The files exist on your server. If someone knows the file address to any file, it is downloadable.

    Unless you put an .htaccess file in your file directory with a deny from all directive, but that’s your decision. If you do use an .htaccess file though, you will need to either enable stats in File Away options or enable encryption in your fileaway shortcode for downloads to work. And in this case you will not be able to use the flightbox or thumbnails.

    Thank you for your help. I use the plugin All-in-one-Intranet, which locks every wp page from outside. So you can only see the wp pages when you are logged in. Is this .htaccess hint synchronous with the login of wp? Because the .htaccess hint sounds for me like an additional password. Is this requirement feasible on the basis of file away: only single-signed-on wp users have access on every content, file-based and page-based and content cannot be downloaded for not-signed-in users?
    Thanks again.

    Plugin Author thomstark

    (@thomstark)

    There is no password involved with a deny from all directive. It prevents direct access to the files from the browser, logged in or not. Then enabling stats or encryption on your File Away table will mean that when the user clicks on the download link, File Away will then push the file to the browser from the server, rather than the browser trying to navigate directly to the file.

    This should be the content of your .htaccess file:

    Order allow,deny
    Deny from all
    

    That’s it.

    • This reply was modified 4 months, 2 weeks ago by  thomstark.
    Plugin Author thomstark

    (@thomstark)

    To reiterate, the .htaccess file goes in your top file directory, not your wordpress install directory.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.