Security issue in file downloads - no help so far

I’ve been in contact with support and so far the responses are very generic.

When a direct link is made (i.e. in the s2member file directory without any ? coding etc) the file can be downloaded by anybody.

I noticed my host had nginx and this has now been disabled but still the same result.

This is a massive vulnerability and so far no one has given any help.

The various ways to link to protected files are given in Download Options -> Basic Download Restrictions and Download Options -> Advanced Download Restrictions

The file is in the protected directory but can still be accessed publicly. If I use the /?s2member_file_download=example-file.zip it protects the file from non-members (i.e. public) but the actual link /s2member-files/example-file.zip is accessible by everyone.

Both things you referenced to do not solve this issue.

Can any one help?

Not what I expected in terms of premium user support…

You have a theme or plugin conflict.

I don’t…disabled all and still does it.

Okay, so I (think) it is sorted.

  • Turned off the firewall in WPSecurity Plugin
  • Turned off the brute force and IP restrictions in S2member (Restriction options)
  • Checked the .htaccess in route folder and in s2-memberfiles/ folder and neither had execute permissions. Updated them to have execute permission.

Seems to have fixed it, will check it again and see.

I have de same issue, s2member-files folder is correctly secure by htaccess file but all files are accesible just tipying the direct url.

Can any one help?

Can any one help?

Well, as the OP confirmed, his problem was caused by a plugin conflict, so have you disabled all your other plugins and switched to a default theme to see if this feature then works as expected?

Still the same problem before disable all plugins. I think that the problem is with NGINX running on my hosting.

How do you have a .htaccess file with nginx?