The Joomla! Extensions Directory ™

codeice

Reviews(2)
 
bycodeice, December 7, 2011
Simple File Upload
Version 1.3 on Joomla 1.5.25

It functions as described, potentially a very useful module, but...

allowed file types can be set up in the config settings, however this did not stop malicious files being uploaded such as "xxxx.php.jpg" or "xxxx.php.pjpg"

The .php.jpg and .php.pjpg extensions giving the clue that these were bad files, later confirmed by our anti-virus check as containing trojans.

After these files were uploaded to my site (and deleted) I checked the module config settings and found that it had been reset to the defaults and that no further changes could be made in the backend. Clearly "something" had affected it and so the module was removed from the site and an alternative is now being used.

The site concerned is protected by a security suite and no subsequent problems were detected. The problem therefore seemed to emanate from this module and is a significant security issue, particularly for sites that handle image files from users as our does.

I attempted contact with the developer through his website contact form as I felt that he should at least be aware of this issue - 10 days later no response! (Did get an automated "email received" reply though).

So, 2 stars only awarded as it does function as generally described but note our experience re security problem and no developer support.
Owner's reply

I am very sorry to hear that. Unfortunately allowing uploads to your site is always a risk, regardless of how it's done.

Unfortunately you supplied me with a faulty e-mail address so the e-mail bounced back. I answered your comment on my web-site 6 minutes after you added it!

The default setting in Simple File Upload is to BLOCK files like "xxxx.php.jpg" and according to your description in the mail you had changed that for some reason... :o

You should always make sure your site is secure and won't allow executing files like "xxxx.php.jpg"!

Since the attacker somehow managed to change the name of the file you have some other exploit too as that wouldn't be possible through Simple File Upload.

Please make sure to make a thorough security review of your server and PHP settings!

Regards,
Anders

bycodeice, October 15, 2011
SP Digital Goods
Does exactly what I wanted. I am using this extension together with SP Thumbnails which form a brilliant system for selling royalty free files.
Email support from the developer has been very good and very quick, and so I am very happy to endorse this extension.