Version 1.3.5 is tested and verified on Joomla 3.3!
!!!Security Release 2012-01-02!!!
JED found an exploit in the code where they managed to upload a file named "file.php5". Unfortunately I had not added php5 to the blocked extensions list but now (version 1.3.5) it is added along with .php6 and an extra check to see if ".php" exists in the file-name!
Please make sure to update to version 1.3.5 as soon as possible!
UPDATE 2010-01-04: To be even more on the safe side I have now added code to inspect GIF comments. There is a new option called "Block PHP GIF comments" in the settings which is default set to "Yes" which will read any GIF comment and block the upload if the comment contains any PHP code!
It includes the following key features:
- Multiple modules on the same page with different settings
- "Add Note" to uploaded files
- Image re-size
- Automated thumbnail creation for images
- Image compress for JPEG and PNG
- Now supports both "User Named Directory" and "User Defined Directory"! (see below)
- List files in upload directory in pop-up (FancyBox)
- Multiple files upload
- Notification e-mail
- And more...
- Integrated Ajax in Joomla framework
- "Blacklist" of extensions (threat-protection)
- Multi select file browser for FireFox 3.6+ versions
- Info popup-box now contains the link (URL)
- URL attached in e-mail notice
- Redirect option after uploading
- User Named Directory: You can set a root path for User Named Directories, e.g. "/home/users/" and then select which users should have the option to use the directory.
- User Defined Directory: You can select from the list of users and add custom directory paths for the user.
- Multiple choice of upload paths added. If a users has "User Named Directory" and/or "User Defined Directory" the user will get a pop-up box asking for the directory to upload to.
- List files option from upload directory in "pop-up"
- Form Fields can now be collected into the same file. A few JED Image Galleries are using a parameter file for labels/description of images.
- Multiple languages.
Joomla 3.0 is now supported!
User Named Directories and User Defined Directories now also works on Joomla 3.+!
The only solution WAS paid extension from CB.
But, this module simplify the thing for free (well, let's donate when you earn profit from using this module)
As for the security vulnerability, IN ADDITION to utilizing the blacklist function, we can also put a .htaccess to disallow any file access from that particular upload folder.
Thanks for taking the time to review my extension!
The suggestion for .htaccess is very good and should be used if added security is required on the server!
For anyone using IIS here is an article that some other user sent me for .htaccess on IIS: http://forums.iis.net/p/1151878/1879997.aspx#1879997
Then I had a go at this extension and BAM, it does all I need.
The developer should look into the security "hole" found by the "Easy Uploader" developer though as no such attempt to prevent false file types seems to be included in the code.
I am very happy that I don't have to alter anything in this extension!
Keep up the good work!
thanks for your kind review!
I am aware of this security "threat" and have already included a "black-list" for extensions in version 1.3 (are you using 1.2? In that case please upgrade to get the Black-list function).
I tested several different ways of securely detecting the type of file uploaded but I have not found any that would work on different PHP versions and/or platforms.
With the Black-list, even if an attacker fake their way by changing the content-type, they will not be able to change the fact that the extension is required for the file to be interpreted by the server and thus it is "pretty" safe.
Another way is to block "web access" for the upload directory using .htaccess but then again the content (like images) will not be available for web pages either.
Unfortunately there is no good way of doing this in PHP versions lower than 5.3 and even with 5.3 many hosting providers are not allowing the use of file objects or exec functions which would be used to verify the "real" mime type.
The French translation is also very good. I could use the module out of the box. My purpose was to allow users to upload audio/video excerpts (which they later integrate in their articles with AVReloaded).
So thanks to the developer for sharing this great extension !
i am in the process of evaluating the various upload modules/components for Joomla in order to find one to suit my needs for my humble site.
I recommend simple file upload module.
It does what it says and works like a charm.
You don't have to mess with tons of options and surprise:
Andrew ,the developer ,will answer to your questions and will modify/correct the module if needed.
In my case he mailed me -on his initiative- and made fixes in just one day taking in serious regard my observations.
There is no manual because it is not needed.You don't have to read tons of pages to make it work.
You will have it up and running (AND modified to your needs) in minutes.
Thought i would recommend the creation of a support forum for this great module.
Thanks, I really appreciate you taking the time to write the review!
You are not the first to ask for a support forum. The FAQ on my site has done it's work but with the added functionality for "User Defined Directory" and "User Named Directory" I have noticed that I do get a lot more questions... I will give it some thought and probably put something up on my site shortly...
Btw, the name's Anders, not Andrew... ;)
It does all I could ask (and more)!
I needed the more flexible user management to be able to point each users directory in different loccation and this module made it possible. I had to ask som help to do it but it was all in teh settings.
I could just ask for some better instrutions... but then again the developer helped out in just a few minutes.
Thanks for this great extension!
This is a bit crude in display, but with a little editing and tweaking on my end I can customize it. Functionality though seems to be working fine for me. Adjusting what file types are allowed is a breeze due to the pop-up letting you know exactly what isn't allowed. Just paste the string into the end of the list, and bingo its allowed.
One suggestion, when creating user directories I suggest that by default you automatically create an index.html file to be placed in the user directory created. This way you can keep the directory from being accessed from the URL bar.
Peter (Big Screen Entertainment Group)
Thanks for the feedback, Peter! I'm glad you like it!
In the latest release of v1.2 I have included the creation of a "index.html" file when SFU creates a new directory. (Thanks for the suggestion!)
I must really let Anders know how much I appreciate the help!
TACK! (=Thank You in Swedish) :)
It's perfectly simple and if you find something that doesn't work just right, the developer will fix it. I personally had an issue with html email not formatting exactly right (which really doesn't matter since only you get the email anyway) but I let Anders know what was going on and he had a fix to me and loaded on his site for everyone else in less than a day. He also made a few other changes for me and had them to me in less than a few hours.
In my experience this developer is quick to respond to, and solve, issues as they come up.
All in all, the extension does exactly what the developer says.
It is a perfectly simple solution for allowing users to upload files to your site, it's free, and it's getting better with each new release.