Results 1 to 3 of 3
  1. #1
    Join Date
    Aug 2006
    Posts
    2
    Plugin Contributions
    0

    Default Download Security Issue

    Download Security Issue

    I have just started using Zen Cart version 1.3.0.2 and I am very impressed, but I have discovered a problem.

    When you create a virtual products using download attributes customers are able to download a product as much as they like by using the following as an example:

    www.websitename.co.uk/download/product.zip

    I am using Microsoft-IIS/6.0 web server with “Attribute Settings > Download by Redirect” turned off. I have turned this option off because it corrupts the zip file when customers download products. Even when redirect is turned on the url mentioned above will bypass security. I have a .htaccess file in my download directory, but this does not offer any protection. This a real problem because customers can easily work out the url they need to download files.

    Does anyone know a security fix?

  2. #2
    Join Date
    Jan 2004
    Posts
    66,445
    Plugin Contributions
    81

    Default Re: Download Security Issue

    Download by redirect (which windows servers can't usually provide) is much more secure than without redirect.

    However, it's true that if a user understands Zen Cart infrastructure, they could perhaps figure out how to download directly from the "downloads" folder.

    Given that scenario, the following options are available:

    1. Zen Cart already provides .htaccess protection for that folder. You could (should) update that file to add the file-extensions for all the types of files in your downloads folder. Thus, people using a browser cannot directly access any files matching those extensions. Granted, if you have redirect off, this may pose a problem. And of course, only works if .htaccess is fully supported on your server.

    2. If you are using redirect or streaming then moving the "downloads" folder into a place outside your webroot will prevent anyone from ever accessing the files with a browser unless they are using the Zen Cart-supplied links in their order details. This is the most secure approach. It requires physically relocating the folder, and editing your configure.php files to point to the real location of your downloads folder so that Zen Cart has a clue where to find the files it will be streaming to your users. This works on both Windows and Linux/Unix hosts.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Aug 2006
    Posts
    2
    Plugin Contributions
    0

    Default Re: Download Security Issue

    Thank you for all your help, placing the folder outside the webroot worked a treat.

 

 

Similar Threads

  1. current 1.3.8 download, is new security fix included??
    By tlyczko in forum General Questions
    Replies: 2
    Last Post: 13 Oct 2008, 08:43 PM
  2. Security error becos of TimeZone Download
    By Kitty in forum All Other Contributions/Addons
    Replies: 3
    Last Post: 1 Mar 2008, 11:45 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg