[wp-trac] [WordPress Trac] #44230: Export Personal Data Flaw

WordPress Trac noreply at wordpress.org
Wed May 30 08:52:00 UTC 2018


#44230: Export Personal Data Flaw
-------------------------------------+------------------------------
 Reporter:  psycleuk                 |       Owner:  (none)
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Privacy                  |     Version:  4.9.6
 Severity:  major                    |  Resolution:
 Keywords:  close reporter-feedback  |     Focuses:
-------------------------------------+------------------------------

Comment (by psycleuk):

 Apologies for not being clear enough in my initial wording - our concerns
 are that the file has no access control on it.

 How guessable the file name is bears no relevance, as secure by obscurity
 is not secure. Once the file has been created anyone can access it and
 download it.

 As Wordpress is an open source CMS and by default the code is open, it
 would therefore not be too difficult to reverse engineer how the file is
 created to build a script to exploit it.

 There is also a potential issue with using index.html as a way to block
 directory viewing of the personal data folder, as any server that is
 configured to not default to index.html would be exposed. Although, i do
 appreciate that catering for server configurations is a difficult task.
 Ideally using .htaccess to block all public access to this folder is
 preferred, then any developer using nginx only setups would need to copy
 the rules into the nginx config.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44230#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list