Recently as I was playing around with some Dolphin 7 features I noticed I could actually download files and content, even if joining or becoming a member was required. Now this may not be important to everyone, but it's something some might be concerned about.
One of the things I have noticed is a lot of folders/directories have an .htaccess file that is supposed to prevent people from directly accessing files contained inside it. These would be things like photo, files, and store modules for starters.
What is supposed to happen is if someone navigates to the file by means of your site links it will load it up, or let you download it if you have the required membership permission level. If they try to punch in the actual path to the file name in a web browser they should be denied, blocked, or not allowed.
The .htaccess file in most of these folders/directories simply says the following:
Deny from all
Now this may work for some of you, but for many setups it might not be doing what it is supposed to be. For most of my setups I had to change it From:
Deny from all
Deny from all
After I made the change it worked as it should. It would allow my site to access the files in the directories/folders by means of navigation links on my site, but prevented me from entering the direct link into my address bar.
This is important if you have a lot of features set to members only. If members are only supposed to access these files, then it doesn't do much good if people can directly access the files and download them anyway without being a member.
The store module feature is one of these. If someone is selling something for say $20, and everyone can just punch in the direct address and download it for free...then what do you think they will do!
One has to know and figure out the Dolphin 7 file and folder structure to find the exact location, but this isn't difficult.
You can simply punch in the direct address to a file in your browser. If it's a picture and it loads in the browser, or if it's a .zip file, etc. and it prompts you to download. If so, then it's not doing what it should.
Try changing the .htaccess code above and afterwards see if you can still download the file directly. If not that is a good thing it's what you are after. You will then want to access the file by means of your site to make sure your site is still loading it up just to verify all is working the way it should.
There are a lot of locations in Dolphin 7 you may want to check and test. I do not have a full complete list, but generally most locations that you were asked to set a 777 writable permission during installation.
Here are a few examples to check:
/modules/boonex/files/data/files/file-name-here(like 1.zip/2.zip/or other)
Dolphin traditionally likes to name files consecutively like 1.jpg, 2.jpg, 3.jpg, etc. Same with the files/store module feature. They get name consecutively 1.zip, 2.zip, 3.zip, etc. So in reality one could potentially easily download these if .htaccess isn't denying direct access like it is supposed to do.
This is more along the lines of an inconvenience rather than a security issue.
Most average internet visitors will not know the exact file/folder/directory location, but there are always some that will try. And if you do not want people seeing or downloading files directly that you don't want them too, then you might want to check this out.
Again if your setup works as it is supposed to then no need to mess with this.
I hope this isn't too confusing and makes sense.
The Ray folders I haven't been able to prevent direct access to without knocking the actual players offline while viewing from in a Dolphin site. It could be related to mod_security? Although I haven't spent too much time with the video features in Dolphin 7 yet. I keep hearing about people having trouble with video related features in the new Dolphin 7. When I get a moment of free time it will be something I will be looking into and checking out in more detail. I will be playing around with the .htaccess files in each of the Ray Flash Modules Files directory/folders when I get a chance.