Jump to content

Bug Report - Insecure Digital downloads v5.2.8


Recommended Posts

Are digital downloads meant to be secure allowing only the purchased customer to access them? or are they available to download via anybody that knows the link?


 I have found the latter true.
 To reproduce
1.  upload a file http://demo.cubecart.com/cc5/admin.php?_g=filemanager&mode=digital#upload
2. note the file name and log out of admin delete browser history.
3. Go to http://demo.cubecart.com/cc5/files/name_of_file.ext
4. File opens.

Does this means a customer can share a download link, making it insecure to sell digital files or they can have a guess at other files that maybe in the files folder by using sequential numbering?


Link to comment
Share on other sites

There are two approaches to digital files: within the store's environment, and outside the store's environment.


For inside the store's environment, you can have Cubecart upload files to the 'files' directory in the admin File Manager screen.


For outside the store's environment, the demo won't let you do this, and neither will your own store. You will need to FTP the file to your hosted site. Actually, CubeCart can upload to a folder outside of it's environment.


Your publicly accessible hosted space may be contained within the "public_html" folder - or something very similarly named. (Your hosting may even include a "public_ftp" folder, but still needs a user/pass to access it.) Everything in this folder and below is publicly accessible (unless an .htaccess file denies it).


Any folder that is a sibling or parent of "public_html" cannot be reached by the public using your domain name. But a PHP script can get to any folder your account has permission to access.


CubeCart 5's downloader will always try to send the downloadable file under [minimally] controlled conditions. That process starts with the link CubeCart created and included in the email to the customer. You can specify a fully qualified URL and CubeCart will 302 Redirect the browser to fetch the file from there.


When downloading, the browser knows the filename, but not the folder path it came from. A 302 Redirect will have the full path in the Response headers - not normally displayed by the typical browser.


So, in 'files' you could add nonsensical named sub-folders and put the files in there.


Alternatively, you would enter the complete path/name in the field provided for it to point to the file that sits outside "public_html".


Edit: 19 March 2014

Some of the above is now known to be less than 100% correct. Please see:

'?do=embed' frameborder='0' data-embedContent>>

Link to comment
Share on other sites


I think your deny from all will cause issues printing invoices if you don't allow your own external IP address in the .htaccess file, Reason being is I added the .htacces file to the files folder and when I tried to print an order with the printer icon I wasn't allowed to view the invoice and found the invoice was temporally put in the /files folder where the .htaccess file is not allowing me to view the invoice.

Link to comment
Share on other sites



I havent tested Al's solution myself but if indeed it does require your external IP address to be added then that isnt going to be easy for some people to do especially if on a dynamic IP address from your ISP which most people will be !  Regardless, a much better solution would be as originally suggested which is to create a "downloads" directory above the publicly accessible directory and add all downloads to that.




Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...