Is there any way to protect downloads from download unless a valid purchase has been made (ie, a specially formatted URL that both verifies the download and provides a page to actually download the file)? Right now I can download a file if I know the name. What kind of joke is that? If not, then why would OpenCart include such a poorly implemented feature in their software?
Last edited by jmanko on Mon Dec 09, 2013 1:38 am, edited 1 time in total.
You upload downloadable files THROUGH OC NOT VIA FTP into /download/ precisely because OC "hashes" the filespecs in order to prevent unauthorized downloading and to require that prepaid customers log in before downloading what they paid for. That is not a joke. If you were to upload pre-hashed files, then only you would have the foggiest idea what the filespecs are, but that would still not be a joke. The feature is not poorly implemented. It already provides for, and provides, "a specially formatted URL" by way of the hash "that both verifies the download and provides a page" consisting of the account itself for authorized downloading only by prepaid customers who are logged into their accounts.
Hackers are a risk but they will normally not be interested in your downloads. When they use /download/ they generally seek to inject code for mime attack. If you see ANY files named *jpg* or route?* or *.php.* get rid of those and ensure that your permissions are still 755 directories and 644 files. Be certain that your zero-byte (or a 44-byte) /download/index.html is in place, and that .htaccess in the root prohibits viewing directory content, so that the most they would be able to shop for is index.html and see preferably only white.
Hackers are a risk but they will normally not be interested in your downloads. When they use /download/ they generally seek to inject code for mime attack. If you see ANY files named *jpg* or route?* or *.php.* get rid of those and ensure that your permissions are still 755 directories and 644 files. Be certain that your zero-byte (or a 44-byte) /download/index.html is in place, and that .htaccess in the root prohibits viewing directory content, so that the most they would be able to shop for is index.html and see preferably only white.
can someone so easily guess the uploaded file's name. Also, change your download directory and they won't find it toojmanko wrote:Is there any way to protect downloads from download unless a valid purchase has been made (ie, a specially formatted URL that both verifies the download and provides a page to actually download the file)? Right now I can download a file if I know the name. What kind of joke is that? If not, then why would OpenCart include such a poorly implemented feature in their software?
I resolved this. Problem was a combination of .htaccess not there and misconfiguration on my part. Thanks for the input.MarketInSG wrote: can someone so easily guess the uploaded file's name. Also, change your download directory and they won't find it too
You were spot on with this suggestion, butte. Thank you. For some reason my .htaccess was renamed to htaccess.txt.butte wrote: Be certain that your zero-byte (or a 44-byte) /download/index.html is in place, and that .htaccess in the root prohibits viewing directory content, so that the most they would be able to shop for is index.html and see preferably only white.
Who is online
Users browsing this forum: Semrush [Bot] and 38 guests
