Announcement

Collapse
No announcement yet.

Export/Import File Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Export/Import File Security

    The following seems like an issue.

    Any file you import or export (customers, products, categories, etc...) in the admin has a copy saved in either assets/imports or assets/exports. I found that these files can be accessed without being logged into the admin. My stomach turned when I was able to access a customer export file without being in the admin. Shouldn't this require you to be logged into the admin? The names generated for the csv files are to obvious and all have the same basic layout: type_userid_date-time.csv.

    Sample File Name:
    categories_56_2-6-2019-123456.csv
    customers_56_2-6-2019-123456.csv

    url: example.com/assets/exports/customers_1_2-6-2019-123456.csv

    Or maybe I'm just over thinking it and its highly unlikely someone will ever get one of these files.

  • #2
    imp_file.csv under assets/imports may be a bigger issue, since its the same on all stores and doesn't require knowing the date, time, or anything else. But restricting everything to only someone logged into admin wouldn't work, since there are 3rd party apps and such that grab certain files from the same spot. For example Google pulls our product reviews from that folder on a weekly schedule. I guess more granular permissions would be the right solution.

    Comment

    Working...
    X