Media uploaded without sending review form > security issue?

  • Resolved wzshop

    (@wzshop)


    6 months, 1 week ago

    Hi,

    First of all I love your plugin, so many thanks for that.
    I have the “media upload on product page” option enabled and I recently found out that images got uploaded to the woocommerce media folder, even when people do not submit the form or leave a review. I was wondering if this causes any security issue, because anyone (also robots?) can upload files, without going through the process of filling out the rest of the review form.
    I know that I can enable the recaptcha option, but I found that I need to solve the recaptcha for each image I upload. After 1 upload, the recaptcha needs to be solved again. So that is very annoying when people want to leave a review. Also it has a timeout. So I rather do not use the V2 recaptcha.

    My questions is, I guess, if the uploading of the images withouth leaving a review or submittig the form itself, is causing any sercurity issues. Wouldn’t it be better to only upload the images when the form is actually submitted. Is there any safety precautions in place?

    Thanks, WZ

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support pear8398

    (@pear8398)

    Hi,

    Thanks for using CusRev.

    Uploading an image in the review form on the product page could take a few seconds so we decided to upload it to the media library first and allow submit the review form later. I will inform the development team to consider checking this feature again and delete the images if the review is not submitted.

    If you are afraid of security issues, you can use reCaptcha v2 or allow the customer to upload images in the aggregated review form only.

    Thread Starter wzshop

    (@wzshop)

    Hi,
    Thanks for getting back to me. Yes, I guess deleting the image when no review is submitted would be a good idea. I am not necessarily afraid of security issues, I am just wondering if there are any. This is your plugin so I guess you thought this aspect through?
    I really would like to keep the image upload function for the normal customer review form, but like I said the reCaptcha v2 function is not really functioning properly with the image upload function (time-out issue and solving the reCaptcha per image upload).

    Hope to hear from you soon, thanks!

    Plugin Support pistachio6321

    (@pistachio6321)

    Yes, we considered this question. Uploading images after a review form is submitted doesn’t offer you any additional protection because any bot can submit a form. The plugin starts the upload as soon as an image is added because it offers better user experience and doesn’t make any difference from the security point of view.

    The best and recommended protection is to accept reviews by email invitations only. If you want to accept reviews from unknown visitors directly on product pages (which we do not recommend), please at least use CAPTCHA.

    Thread Starter wzshop

    (@wzshop)

    Hi, thanks again for getting back to me.
    Again: I really would like to keep the image upload function for the normal customer review form, but like I said the reCaptcha v2 function is not really functioning properly with the image upload function (time-out issue and solving the reCaptcha per image upload).

    Can this be fixed?

    Thread Starter wzshop

    (@wzshop)

    also, why not offer Recaptcha V3 also?

    Plugin Support pistachio6321

    (@pistachio6321)

    Could you please share a screen recording illustrating the problem? Solving CAPTCHA for image upload is required to protect your website from images uploaded by bots.

    Implementation of reCAPTCHA v3 is in our development plans. However, v3 doesn’t offer better protection than v2. The difference is in the user interface – v3 reCAPTCHA is hidden by default but v2 is always shown.

    Thread Starter wzshop

    (@wzshop)

    Hi,

    Yes the difference in user interface is what I need.
    I can’t show you a screenshot right now, but like I said it is quite easy.

    Currently, when enabling V2 captcha, it requires the user to solve the recaptcha per 1 image upload. So if someone wants to upload 3 photos, they need to solve the recaptcha 3 times. That is not very user friendly.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.