I am troubleshooting a WordPress plugin issue. It is a plugin that generates a zip file of existing files on the server and returns a link to download the file.
The plugin
https://wordpress.org/plugins/sp-client-document-manager/
The plugin add-on that is the source of the issue.
http://smartypantsplugins.com/downloads/sp-client-document-manager-batch-operations/
The plugin creates a directory to save the generated zip file using the AUTH_KEY as the name of the directory. When the url is returned to the client it contains the AUTH_KEY as part of its path.
$zip_path="" . SP_CDM_UPLOADS_DIR_URL . '' . AUTH_KEY. "https://wordpress.stackexchange.com/"
This returns a url similar to the following:
http://www.example.com/wp-content/uploads/sp-client-document-manager/{the_wordpress_auth_key}/0123456789.zip
If any of the characters in the AUTH_KEY are not allowed in a url the download will return a 404. This is happening but that can easily be fixed by changing the AUTH_KEY to a string that will work in a url. My worry is the fact that it contains the AUTH_KEY.
Is revealing the AUTH_KEY by itself a reason for concern?
1 Answer
Well, AUTH_KEY and it´s brothers where introduced in WordPress 2.6 to improve safety for logged in users. They are used to encrypt and validate the information in your backend login cookie.
While revealing the AUTH_KEY alone might not be a real security issue, you should nevertheless not output/use this anywhere to give less surface for attacks.
Furthermore I don´t see why you would use the AUTH_KEY to prepare a folder/download link. I think it would be much better to use something like time() to generate folder names if you want randomness or uniqueness or whatever without compromising the security of the system.
Update: I opened a thread in the plugins support area. Let´s see if the author responds to it.
