Home › Forums › Plugin Support › user meta uploader.php vulnerability
- This topic has 7 replies, 3 voices, and was last updated 9 years, 6 months ago by smithandjones.
-
AuthorPosts
-
December 29, 2014 at 6:01 am #6607December 31, 2014 at 1:06 pm #6611xihad76Member
yet no reply from the developers. very very frustrating.
January 1, 2015 at 5:19 pm #6612KhaledMemberHi,
To protect uploader.php, we use nonce verification (http://codex.wordpress.org/Glossary#Nonce).
If you certainly believe, hacker are using uploader.php to upload malicious script, you can put following code to your functions.php
add_action( 'pf_file_upload_init', 'denyUploader' ); function denyUploader() { if ( ! is_user_logged_in() ) die(); }
When you use following code, only logged-in users can use uploader.php
And we will add some more verification to protect the script.
Thanks.
January 2, 2015 at 5:38 am #6613xihad76MemberThanks for the reply.
I am sure that was your plugin. hacker managed to upload double extension image (which was not an image btw) inside the files/ folder even when this plugin was deactivated.here is the vulnerability reported in multiple security sites about the plugin:
http://www.exploit-db.com/exploits/19052/
https://wpvulndb.com/vulnerabilities/6199
http://www.securityfocus.com/bid/53910/infoThis was first reported in version 1.1.1. So I went through the change log if this issue was fixed. I found no mention about that.
and here is another user who also thinks the same and posted about the vulnerability only 4 weeks ago.
https://wordpress.org/support/topic/plugin-vulnerability
hope this helps. good luck.
Zihad
January 2, 2015 at 9:07 pm #6614KhaledMemberHi Zihad,
Thanks for those links. Although it was not mentioned on change log, but we had solved the issue on version 1.1.2
If you directly access (or access by curl) http://mysite.com/wp-content/plugins/user-meta/framework/helper/uploader.php
it will gives “Security Check” error. It also generate error when plugin is not activated. Only way to hack is to generate nonce code. As the nonce code change dynamically, so it is not probable.BTW, beside nonce verification, we will add some more validation to make the script more secure (with next release).
June 6, 2015 at 9:44 am #7191smithandjonesMemberHi Khaled
I’ve just had my site hacked and I am using the User Meta Pro plug-in.
Can you explain what additional validation has been added to make the script more secure and which version this update was included in?
Regards
Robert
June 6, 2015 at 10:18 pm #7192KhaledMemberHello Robert,
We did secured our uploader script since version 1.1.2. However, with version 1.1.7rc3 we update the script to make it more secure and with stable version we will completely replace the script.
Thanks.
June 7, 2015 at 9:37 am #7196smithandjonesMemberHi Khalid
Thanks for the information. I have updated to V1.1.7rc3. Please do all you can to make the uploaded as secure as possible. My site is a trading site and hacking is a big issue for the confidence of my users.
Regards
Robert
-
AuthorPosts
- You must be logged in to reply to this topic.