Support Forum

Simple:Press 6 Plugin Topics

Security issues in the image/file uploader

Security issues in the image/file uploader

Johan Moritz

Rookie

Free Members

Offline

Jun 17, 2014 - 6:03 am

Hi,

We are running a high traffic site and are using the image/file uploader in our simple press forum. We had some major issues to get it to work with our security settings. We are using a pretty strict settings which resulted in the upload plugin to fail when it tried to run copy() to copy the file from the temp directory to the upload directory. We replaced copy() in the forum-plugins/plupload/library/sp-upload-components.php on line 702 and instead used move_uploaded_file() which worked perfect for us.

So my question is, why is the plugin using copy() instead of move_uploaded_file() ?
Could it be updated in the next version of the upload plugin?

Yellow Swordfish

Glinton, England

SP Master

Offline

Jun 17, 2014 - 11:55 am

We will have a discussion and come back to you...

YELLOW

SWORDFISH

Mr Papa

Simi Valley, CA

SP Master

Free Members

Offline

Jun 18, 2014 - 12:14 am

not really a security issue per se - nothing inherently unsafe about the copy command...

but as Andy says, we will investigate the other command and have to check its applicability to various php flavors and versions (as well as *nix types), plus make sure no IIS issues (its has some weird nuances with upload temp dirs)... thanks for the tip...

Visit Cruise Talk Central and Mr Papa's World

All RSS

Forum Timezone: Europe/Stockholm

Most Users Ever Online: 1170

Currently Online:

Guest(s) 1

Currently Browsing this Page:
1 Guest(s)