Is there a security problem?

Phoca Download - download manager
Post Reply
fabry24
Phoca Newbie
Phoca Newbie
Posts: 2
Joined: 12 Apr 2013, 12:38

Is there a security problem?

Post by fabry24 »

Hi to all,

i have install phoca download (joomla 2.5) end i try to use it :P
I have found this problem. Default installation create 2 folder

phocadownload
phocadownloadpap

i try to insert a new file (text.txt) and one category. I public the file with registered access and all works fine.
So when i try to download the file on frontend, site ask to me to do login for download... perfect

Now, phoca download put the file that i have upload in "phocadowload" folder.
This is the problem, if i write on my browser all the URL

www .site.com/phocadowload/text.txt

i can download a file without any access control and security :evil:

I don't have any security on the file that i put registered access... i can download easily with the URL...

is there a solution?otherwise i can't use phocadownload to downaload sensitive files...

thank you in advance
Top
User avatar
Jan
Phoca Hero
Phoca Hero
Posts: 48587
Joined: 10 Nov 2007, 18:23
Location: Czech Republic
Contact:
Contact Jan

Re: Is there a security problem?

Post by Jan »

Hi,

first of all, security on your page cannot by managed by some php script (in this case component)
second - see options and documenation, you should set your own folder, there are many options how to secure your files in Phoca Download:

- add the hash string to your file names
- protect the folder (in this case "phocadownload") by .htaccess
- create new folder behind public_html (this is why phoca download creates two folders - phocadownload and phocadownloadpap - in case you are using protected folder or folder behind the publich_html - nobody can access the files directly, and if you want to play or preview the playable and previewable files, you need to have them in other folder - this is why there are two folders - complicated for some users BUT they were added becasue of SECURITY)
- etc.

For more info:
- see similar posts in this forum
- see: https://www.phoca.cz/documents/17-phoca- ... tml-folder
- see: https://www.phoca.cz/documents/17-phoca- ... ng-folders
- see: https://www.phoca.cz/documents/17-phoca- ... users-only
- see: https://www.phoca.cz/documents/17-phoca- ... ess-rights
- see: https://www.phoca.cz/documentation/categ ... -component

So yes, Phoca Download is used by many sites for download sensitive or not public files.

Jan
If you find Phoca extensions useful, please support the project
Top
fabry24
Phoca Newbie
Phoca Newbie
Posts: 2
Joined: 12 Apr 2013, 12:38

Re: Is there a security problem?

Post by fabry24 »

Well...

thank you very much, i SOLVED, i moved the folder PHOCADOWNLOAD behind the public_html and all works fine...

for me, can you closed... bye...
Top
Post Reply

Return to “Phoca Download”