Security of /uploads directory
Posted: Tue Dec 04, 2012 6:38 am
Hi
I’m running CMSMS 1.11.3 and I have a slight security concern that I am sure other people must have come across and resolved themselves so looking for some guidance please.
I have a website with a ‘Member’s Area’ using the FEUsers module for log-in and log-out access and using ‘Protected Content’ page type. Within the 'Member’s Area', I have available a Membership List (in PDF format) available to download from a link on a Protected Content page to a folder in the /uploads/docs/ folder.
Now the Security Problem - if you know the URL of the directory and filename for the Membership List, you can view the document without going through the Members log-in process
As a trial, I created a Directory within /uploads/docs called secure and put a plain text file in it called registration.txt (so the URL was http://www.****.org.uk/uploads/docs/secure/registration.txt) and I can enter that URL into a browser … and you get to see the document WITHOUT logging in to the Member’s Area!
I thought I could try changing the Directory permissions for my ‘secure’ directory from the default 755 to various combinations from 754 right through to 750 but that doesn’t seem to work - if I can download the document from the Protected Content pages, I can download the document using just the plain URL without being logged in (note that I used a different filename for each of these trials so it’s not that the document is already in the Browser cache)
As a temporary ‘fix’, I have given the directory with the Membership List in a very cryptic directory name so it’s not easy to guess but I am not happy about the overall security level.
Am I missing something, or have I got the Directory Permissions totally wrong, … or is there a better way?
Many thanks in advance for any help, guidance, or suggestions
Mike
UK based
I’m running CMSMS 1.11.3 and I have a slight security concern that I am sure other people must have come across and resolved themselves so looking for some guidance please.
I have a website with a ‘Member’s Area’ using the FEUsers module for log-in and log-out access and using ‘Protected Content’ page type. Within the 'Member’s Area', I have available a Membership List (in PDF format) available to download from a link on a Protected Content page to a folder in the /uploads/docs/ folder.
Now the Security Problem - if you know the URL of the directory and filename for the Membership List, you can view the document without going through the Members log-in process
As a trial, I created a Directory within /uploads/docs called secure and put a plain text file in it called registration.txt (so the URL was http://www.****.org.uk/uploads/docs/secure/registration.txt) and I can enter that URL into a browser … and you get to see the document WITHOUT logging in to the Member’s Area!
I thought I could try changing the Directory permissions for my ‘secure’ directory from the default 755 to various combinations from 754 right through to 750 but that doesn’t seem to work - if I can download the document from the Protected Content pages, I can download the document using just the plain URL without being logged in (note that I used a different filename for each of these trials so it’s not that the document is already in the Browser cache)
As a temporary ‘fix’, I have given the directory with the Membership List in a very cryptic directory name so it’s not easy to guess but I am not happy about the overall security level.
Am I missing something, or have I got the Directory Permissions totally wrong, … or is there a better way?
Many thanks in advance for any help, guidance, or suggestions
Mike
UK based