[Plugin: Job Manager] Uploaded CV Security

Just to be clear on this, the job manager does provide its own URLs to the uploaded CVs, and they are protected, e.g.

https://example.com/jobman_app/application/attachment/cv-filename/

Without privileges, the user gets a 404.

However, when clicking on the download link there, WP redirects to the media centre URL to download the actual document, e.g. on my network-enabled WP site:

https://example.com/content/blogs.dir/1/files/2011/05/cv-filename.pdf

It is this URL that is not protected. A bit of trial-and-error is likely to uncover some CVs (mycv.doc anyone?), and knowing WordPress, it is only time before some other module stucks all the direct CV URLs into a sitemap.

This is a really nice job board though, so this is something that is well worth fixing.

The issue here is that Job Manager uses WordPress’ built in media system, which has no concept of private/public files. (This is being discussed here: https://core.trac.www.ads-software.com/ticket/17255 )

The problem with implementing a fix for this is that there is no lightweight way to authenticate a user.

While I understand the concern, I think this can be considered a low risk for the time being. Guessing the filename of a specific CV (as opposed to a random CV) would be quite tricky, and would only yield information that is already usually publicly available. (Ie, through LinkedIn.)

Hmm, I’ll have to disagree on this being a low risk, because there are so many doors that can expose the media on WordPress in an uncontrolled way. It is something that people need to be aware of and treat appropriately.

Personal information can be put in CVs that absolutely should not be made public. There are privacy laws (in the EC) that come down heavily on companies not treating this seriously.

Now, it is great that this plugin is using built-in WordPress functionality (it is one thing that draws me to it as a quality piece of software). I wonder if there are other plugins that can handle privileges within the media section? Or maybe there is a way for Job Manager to specify an alternative upload location? I’ll have a dig around myself and see if anything catches my eye.

Yeah, WordPress is a CMS that makes a lot of things easy compared to some other CMSs, but its whole reason for being is for publishing stuff to the world, and so it does lack a certain amount of privilege framework. So it does make some things more difficult to protect and hide. It is not something that should be dismissed though. IMO it does need sorting, but I am at a loss to suggest how to sort it at this stage.

If anyone finds a way to solve this please share!!

By the way is it posible to change the upload folder??

You can password protect your uploads folder. It would require anyone going to the specific resume URL to have a WP log-in to view the information. It’s a simple change to your .htaccess file:

After:
RewriteBase /

Insert:
RewriteCond %{REQUEST_URI} ^.*uploads/.*
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . /wp-login.php?redirect_to=%{REQUEST_URI} [R,L]

Before:
RewriteRule ^index\.php$ – [L]

I hope this information helps! ??

@kelly – that’s a useful technique, but does it not rely on the “wordpress_logged_in” cookie being created by the WordPress installation? The problems I see are:

* This technique assumes that if the cookie exists, then the user is logged in. Since a user can create any cookie they like, they could simply create the cookie and get through this check.

* The check does not distinguish between different roles for users logged in. It assumes that ANY logged in user has access to all the uploads. This includes users that have registered to upload a CV and so get access to other users CVs.

I think the way to do this is to redirect ALL upload URLs through a script that checks the roles the user has. The difficulty is the way the CVs are mixed in with all other uploads, including images and other documents that should be freely available to anonymous users.

Thanks for sharing – it is a step towards finding a solution, which may involve a separate plugin to secure uploaded files according to roles.

— Jason

The Zartis job plugin looks interesting: https://www.ads-software.com/extend/plugins/zartis-job-plugin/ although their site is thin on info, it does claim to have CV upload.

A more heavyweight (and paid) option is Jobroller which is a full job board inc CV upload and a searchable CV index: https://www.appthemes.com/themes/jobroller/

I have no idea how secure either option is.

The CV security is a big risk, particularly for businesses in the EU due to stringent data protection regulations.

I also saw a post in the forum where google had crawled through the upload directories and was returning the cv as a google search result?

In terms of fixing, yes you can change you .htaccess and robots file for the search engines but the open access of the storage is a significant issue.

Is there scope for a separate protected folder within the plugin directory that can store the CVs? In the same way that S2 member plugin restricts file access and downloads? (both on single and multi-site installations)