Notifications
Clear all

wpForo 1.x.x Attachment URLs - Not Secured

3 Posts
2 Users
0 Likes
1,469 Views
swannmatt
Posts: 2
Topic starter
(@swannmatt)
New Member
Joined: 5 years ago

We are using WPForo and everything seems great so far. The only issue we've found is that if someone gets hold of an attachment URL then anyone can access an uploaded file without having to be logged in. I understand the files are stored within the WordPress media library and potentially this could be the issue.

Are these URL's supposed to require an active session by default? Or is there a mod to support this? Would wpForo Advanced Attachments fix this issue?

Cheers,

Matt

P.S. Please ignore the attachment, I am testing something.

2 Replies
Robert
Posts: 9966
Admin
(@robert)
Support Team
Joined: 7 years ago

Hi Matt,

I'm sorry but there is no an extra security functions in file attachment storing and displaying mechanism. All files are public like they are for WordPress other plugins and blog posts.. To make them non-public, we'll have to create a separate API and change image URs to .php files with GET variables like this:

.../attachment.php?attach=23&session=xdf8edshk4r

This kind of URLs are getting lots of conflict with WordPress Security plugins. The direct call of PHP files are blocked by Server and WordPress security systems. This will bring lots of problems on different websites.

Reply
1 Reply
swannmatt
(@swannmatt)
Joined: 5 years ago

New Member
Posts: 2

No problem at all. I'll put something in myself at some point just wanted to see if there was an option out-of-the-box.

Thanks for the quick and detailed reply.

Reply