PHP Dispatch does send the original URL to the browser!

Hi,

The browser receives the original URL, where the file is stored. Hot linking is very easy, even for not loged-in users.

I have carried out a test and I don’t see the original URL in the browser. Can you confirm there is no conflict in your site with another plugin? Do you use any cache system in your site? Please check the following documentation create-new-post-for-wp-simple-download-monitor and focus on step 4).

Let me know if the above helps you in any way.

Thank you

• This reply was modified 5 years ago by mbrsolution.

@mbrsolution
I can provide you the evidence, it doesn’t works. But not in public. Can I E-mail to you?

Please, fix your plug-in or loose it.

I can just warn other users, about the unsecured behaver of this plugin. As I already did. It’s really a super gau.

We are looking for other solutions. To trust “Simple Download Monitor” any longer is difficult, because it seams, you don’t take the issue serous. Sorry for the direct words.

Hi, I have submitted a message to the developers to investigate further your findings. In the meantime, we do have an addon hidden-downloads-for-simple-download-monitor that protects your donwloads.

Kind regards

• This reply was modified 5 years ago by mbrsolution.

@mbrsolution

One part of the issue is the lazy error handling of the plugin.

If dispatch fails, it will fall back to the original URL! (see line 146 in includes/sdm-download-request-handler.php)

An that point, you should never ever, just fall back to the “common” process. (…if the admin has enabled PHP Dispatch) Display an error message and disable downloading. The visitor of the page should never ever, get the access to the original URL behind. Other ways the PHP Dispatch function is just useless.

As it is, the admin is in the wrong believe everything is save and working. No error and the download is working. We found the unsecured behaver just by accident.

Why dispatch fails? I dnon’t know.

@mbrsolution

Hi, I have submitted a message to the developers to investigate further your findings. In the meantime, we do have an addon hidden-downloads-for-simple-download-monitor that protects your donwloads.

Kind regards

As I told above, it seams, you don’t take the issue serous? Just marketing shit will not be the solution.

Why should I buy an other plugin, if there is a big security hole, in your free plug-in? Really the wrong time to sell something. Why should we trust you?

Hi,

As I told above, it seams, you don’t take the issue serous? Just marketing shit will not be the solution.

We do take any findings by users seriously and we appreciate you pointing out this issue. That is why I have submitted a message to the developers to investigate further your findings. Unfortunately I am not a developer and would not be able to troubleshoot your findings.

Regarding the addon. I wanted to share this addon with you to help you further protect your download files. My apologies if this offended you in any way.

Kind regards

@mbrsolution
I can provide you the evidence, it doesn’t works. But not in public. Can I E-mail to you?

I still could offer you information about this serious bug. But marketing talk seemed more important 5 months ago… sad!