[thelist] CMS Recommendations
Christie Mason
cmason at managersforum.com
Tue Oct 6 12:34:56 CDT 2009
> -----Original Message-----
> From: Stephen Rider
>
> My corporate site has a bit of functionality where a non-techie
> employee has to upload data to our site.
>
> I have an Excel script that turns a worksheet into a csv data file,
> and then they upload it via FTP...
>
> --CM Relies--
>
> That's potentially a very, very dangerous approach. Anyone who
> knows about
> that uploaded file could view it at any time, ex-employees, current
> employees, search engines, and many others. It's a big security hole,
> especially if the folder's not password protected and the search
> engines are
> crawling it. If that's confidential data, then that's the type of
> exposure
> that leads to headlines and lawsuits.
A legitimate concern. I should have mentioned that the data directory
is not public -- it's above the web root level, so not viewable via
the web.
...though notably the web design firm that made the site did put it in
the web directory; one of the first things I did was move it.
And in my case it's public data anyway -- it's there for the purpose
of displaying on a page on the site. Still -- thanks for the
caution -- you made an excellent point and I should have been more
clear.
Stephen
--CM Relies--
That's good to know. I just didn't want anyone else thinking that was the
right thing to do w/o thinking through the security implications.
Christie Mason
More information about the thelist
mailing list