Anyone can download files???

Posted in

I was just randomly testing a link and noticed that I could download the file when I wasn’t logged in.

I test in 4 browsers and used private mode.

This is a huge security flaw as the reason I use this plugin is to prevent unauthorized downloads.

i tested this by putting the following URL in any browser, with my domain name
https://www.domain.com/?gfid=1

groups version 1.9.0

3 Responses to Anyone can download files???

  1. George November 25, 2021 at 11:14 pm #

    Hi Rodd,

    I think we should have a look at your site and if it’s running live at the moment, a staging clone should be preferable.
    You may share the details with me including temp admin credentials and the site URL, using my personal email address, george at itthinx dot com.
    Furthermore, please make sure to enable WP debugging for the testing site by the following process:
    Edit your wp-config.php file and replace this line: 

    define( ‘WP_DEBUG’, false );

    with these lines:

    define( ‘WP_DEBUG’, true );
    define( ‘WP_DEBUG_LOG’, true );
    define( ‘WP_DEBUG_DISPLAY’, false );

    All logs will be stored in your site’s root folder under wp-content/debug.log file.

    During the testing process we might disable all/selective plugins and switch the active theme on your site.

    Kind regards,
    George

  2. Rodd Kennedy November 24, 2021 at 6:05 pm #

    The issue is not direct access. I tried a direct URL (
    https://www.domain.com/wp-content/uploads/groups-file-access/file.ext) and get the Forbidden message, so the .htaccess file is working. It has deny from all in it.

    I was already running Groups 2.15 and upgraded to Groups File Access 2.0 and it’s still an issue.

    The issue is the Groups link: https://www.domain.com/?gfid=1

    I’m running the latest version of WordPress. Site Health comes back clean. I’ve tried deactivating recently installed plugins and no effect.

  3. George November 24, 2021 at 12:38 pm #

    Hi Rodd,

    Welcome to our support forum.

    This is obviously not normal and most probably something is wrong on your site. In general all files that are uploaded to wp-content/uploads/groups-file-access directory are only accessible by those users that are granted access to them. As for direct access using the file URL as you described, then the aforementioned directory is protected by a .htaccess file which denies access to everyone.

    Based on your description there is a security flaw on your site which in turn is affecting Groups File Access plugin and its protected files. You should definitely have a look at the .htaccess file in the files upload directory and check if it exists or it has the correct syntax. If this file has been modified either manually or by another third-party plugin that is capable of such operations, then you should locate the source of the issue and then re-install the Groups File Access plugin. In this case make sure that none of the options are checked

    Delete plugin data when the plugin is deleted?
    Delete all Groups File Access plugin data when the plugin is deactivated?

    Last but not least if your Groups plugin version is 1.9.0 then you should definitely update to the latest version available, 2.15.0, while on the other hand if you are using Groups File Access 1.9.0, then you should also update this plugin to the latest version, 2.0.0.

    Kind regards,
    George

Only authorized members can comment on this topic.

Log in

We use cookies to optimize your experience on our site and assume you're OK with that if you stay.
OK, hide this message.

Affiliates · Contact · Jobs · Terms & Conditions · Privacy Policy · Documentation · Downloads · Useful Plugins · My Account

Share