Should I be worried about the « /wp-content/uploads/admin-columns/ » folder?
Hi,
First of all, thanks for the work you’re putting on Admin Columns Pro.
It’s worth every penny I’ve spent over the years. Keep up the good work!
More and more of my clients use the export feature and I’ve noticed that each CSV download generates a binary CSV file in the « /wp-content/uploads/admin-columns/ » folder.
Should I be worried about the contents of that folder?
Is there any risk of revealing user/admin sensitive data?
Should it be protected at webserver level via a specific directive in an .htaccess file?
Thanks in advance.
Thanks for your message.
Yeah, you’re right, although those files are not guessable, they could be accessed directly if you know the url.
Once an export is served, there is no actual need anymore to keep it on the server. To be honest, I think this was something that we intend to make/fix but escaped our attention. I’ll put it on the roadmap again so we can write a script or something that occasionally removed all files that are older than x days.
I’m not sure if it is necessary to restrict the folder with htaccess, but you can surely clear all files in that directory since the files are not necessary anymore once an export file is downloaded.
Hi Stefan,
Thanks for your answer.
Happy to know it’ll be back on your roadmap.
As I’m using your plugin to allow my customers to extract data from contact forms filled-in by visitors, I need to make sure those generated files can’t be accessed (even though they seem to be AES-256 encrypted). Privacy and GDPR concerns here.
In the meantime, I’ll restrict access to the export folder with htaccess and setup a CRON to periodically remove those files.
Hope you’re able to fix this issue in an upcoming release soon.
Just so you know, some badly configured webservers are already picked up by search engines :
– https://duckduckgo.com/?q=%22%2Fwp-content%2Fuploads%2Fadmin-columns%2Fexport%22&atb=v206-1&ia=web
I wanted to let you know that we’ve tackled this for the next release.
Instead of bulk preparing the export server-side, we now prepare the file client-side, so there is no need anymore to store encrypted files anymore. This change will be available in the next release. Of course, it will also come with an update script that cleans the entire folder for orphaned CSV files in the admin-columns folder.
Hi Stefan,
That’s awesome. I’m happy to know you’ve managed to make this a priority and fix it rapidly.
Looking forward to upgrading to the next release.
Many thanks. Great support! :)
You must be logged in to reply to this topic.