Menu

Home Forums Plugin Support user meta uploader.php vulnerability

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • December 29, 2014 at 6:01 am #6607
    xihad76
    Member

    In last 2 months my 2 sites got hacked 4 times because of this plugin. hacker successfully was able to upload malicious script using this plugin and hacked my site. Dear developer, are you aware of it’s vulnerability? I can see the vulnerability was posted couple of years ago online but yet not fixed. Can you please look into this issue urgent? otherwise I will have no other choice but to abandon this plugin, which will be sad. I like this plugin. thanks in advance.

    December 31, 2014 at 1:06 pm #6611
    xihad76
    Member

    yet no reply from the developers. very very frustrating.

    January 1, 2015 at 5:19 pm #6612
    Khaled
    Member

    Hi,

    To protect uploader.php, we use nonce verification (http://codex.wordpress.org/Glossary#Nonce).

    If you certainly believe, hacker are using uploader.php to upload malicious script, you can put following code to your functions.php

    add_action( 'pf_file_upload_init', 'denyUploader' );
function denyUploader() {
    if ( ! is_user_logged_in() )
        die();
}

    When you use following code, only logged-in users can use uploader.php

    And we will add some more verification to protect the script.

    Thanks.

    January 2, 2015 at 5:38 am #6613
    xihad76
    Member

    Thanks for the reply.
    I am sure that was your plugin. hacker managed to upload double extension image (which was not an image btw) inside the files/ folder even when this plugin was deactivated.

    here is the vulnerability reported in multiple security sites about the plugin:

    http://www.exploit-db.com/exploits/19052/
    https://wpvulndb.com/vulnerabilities/6199
    http://www.securityfocus.com/bid/53910/info

    This was first reported in version 1.1.1. So I went through the change log if this issue was fixed. I found no mention about that.

    and here is another user who also thinks the same and posted about the vulnerability only 4 weeks ago.

    https://wordpress.org/support/topic/plugin-vulnerability

    hope this helps. good luck.

    Zihad

    January 2, 2015 at 9:07 pm #6614
    Khaled
    Member

    Hi Zihad,

    Thanks for those links. Although it was not mentioned on change log, but we had solved the issue on version 1.1.2

    If you directly access (or access by curl) http://mysite.com/wp-content/plugins/user-meta/framework/helper/uploader.php
    it will gives “Security Check” error. It also generate error when plugin is not activated. Only way to hack is to generate nonce code. As the nonce code change dynamically, so it is not probable.

    BTW, beside nonce verification, we will add some more validation to make the script more secure (with next release).

    June 6, 2015 at 9:44 am #7191
    smithandjones
    Member

    Hi Khaled

    I’ve just had my site hacked and I am using the User Meta Pro plug-in.

    Can you explain what additional validation has been added to make the script more secure and which version this update was included in?

    Regards

    Robert

    June 6, 2015 at 10:18 pm #7192
    Khaled
    Member

    Hello Robert,

    We did secured our uploader script since version 1.1.2. However, with version 1.1.7rc3 we update the script to make it more secure and with stable version we will completely replace the script.

    Thanks.

    June 7, 2015 at 9:37 am #7196
    smithandjones
    Member

    Hi Khalid

    Thanks for the information. I have updated to V1.1.7rc3. Please do all you can to make the uploaded as secure as possible. My site is a trading site and hacking is a big issue for the confidence of my users.

    Regards

    Robert

  • Author
    Posts
Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.