PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Export download not working / security issue

Gravity Support Forums » Plugin Support » Gravity Forms

  1. stickyeyes
    Member

    Hello,

    We have been using Gravity Forms on a number of high profile Wordpress installations and discovered a serious security issue with the 'export' feature. It seems that the download feature does not work. I have tested it in the latest version of Firefox (4.0) and Google Chrome (12.0.712.0 Dev Build) and it simply does not download (or even alerts the user of what has happened). Instead, it generates a file (perhaps temporarily) in a folder within the uploads directory. I assume that this is for streaming to the browser (when really it should be done on-the-fly using PHP headers instead of creating a hard-copy of the file).

    As a result of the above, the user-sensitive data now becomes publicly accessible as the uploads directory requires 755 permissions as stated on Wordpress Documentation. To combat this issue, a permissions change (using .htaccess for example) to block access is required.

    Can someone please advise on whether this is an issue you guys are aware of and if not, investigate, as it is and has been (for us) a serious security flaw.

    P.S, The export did work in Safari.

    Posted 13 years ago on Tuesday April 5, 2011 | Permalink

  2. stickyeyes
    Member

    Just to add: I am unable to find a changelog for the latest version of gravity forms, can anyone can confirm if this issue has already been dealt with?

    Posted 13 years ago on Tuesday April 5, 2011 | Permalink

  3. Carl Hancock
    Administrator

    You didn't say which version of Gravity Forms you are using. The export functionality has been rewritten in later versions and revised again in Gravity Forms v1.5. In later versions, a file isn't created. It's streamed directly to the browser and functions exactly like the WordPress Export feature for exporting posts. It was written the same way.

    Posted 13 years ago on Tuesday April 5, 2011 | Permalink

  4. stickyeyes
    Member

    Hi Carl,

    We are using version 1.3.12.2. We haven't had our subscription that long but I am aware you are now at 1.5. Do you know if this is an issue that has been resolved in the latest version?

    Posted 13 years ago on Tuesday April 5, 2011 | Permalink

  5. Carl Hancock
    Administrator

    Yes, it's been resolved. 1.3.12.2 is pretty old actually. There have been a few major releases since then, with 1.5 being the latest.

    Posted 13 years ago on Tuesday April 5, 2011 | Permalink