WordPress.org

Ready to get started?Download WordPress

Forums

File Uploader
completely insecure do not use!!!!!!!!!!!! (8 posts)

1 star
  1. norocketsurgeon
    Member
    Posted 1 year ago #

    [Title moderated - Don't shout at us]

    If you put this on your site and a hacker finds it they will own your site, and at worst they will own your entire server. No contact information for the author, but hopefully the WordPress security team takes this down when I contact them.

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    On what evidence do you base these claims?

  3. norocketsurgeon
    Member
    Posted 1 year ago #

    Also, I've already emailed the content above to plugins [at] wordpress.com as a moderator you might want to delete the above post until this plugin gets taken down. Wouldn't want someone seeing that and hacking any site with this plugin on it.

  4. esmi
    Forum Moderator
    Posted 1 year ago #

    I've already emailed the content above to plugins [at] wordpress.com

    Try plugins [at] wordpress.org.

  5. norocketsurgeon
    Member
    Posted 1 year ago #

    Sorry, I miss-typed. I checked, and I did email ".org". Also, I would appreciate it if you removed my first reply to you. I sent it quickly without thinking; a public forum isn't the best place to report security vulnerabilities before they have been fixed.

  6. knotdvn
    Member
    Posted 1 year ago #

    I can validate and confirm norocketsurgeon's findings.

  7. samrat131
    Member
    Plugin Author

    Posted 1 year ago #

    hello, norocketsurgeon , knotdvn and esmi

    would you please tell me the issue exactly why this plugins has security vulnerabilities issues? if you kindly inform me, then i can fix it . it has already 11k downloaded and i have get good feedback for it. also many people email me why cant they download it anymore?

    i have notice one thing that for the file upload section there is no restriction for extension so people can upload any file to the server and can execute it, except this is there any other issues here , so i can fix it.

    and request to esmi after fixing , will you please make this plugins public again, that will be very much appreciate.

    thanks

  8. norocketsurgeon
    Member
    Posted 1 year ago #

    Hi samrat,
    So you've got a couple problems going on in this code:
    1) As you mentioned you don't check for the .php extension. You might want to also consider checking the mime type as well.

    2) you create the upload directory with 777 permissions which should basically NEVER be done. Check out this article for more background: http://codex.wordpress.org/Changing_File_Permissions
    ideally the folder should be something like 755 and the files should get chmoded to 644 after upload, or something similar.

    3) You make no attempt to prevent directory traversal. If you're not familiar with directory traversal you can learn more about it here:
    http://en.wikipedia.org/wiki/Directory_traversal_attack
    directly checking for ".." isn't the best approach to prevent against this. Ideally you should expand the file destination directory with realpath then ensure it matches your intended destination directory for uploaded files.

    These steps will get you started toward a more secure file up-loader. Personally if I'm allowing anonymous submissions in a plugin I put a ".htaccess" file in the upload directory that gives a 404 error when trying to access content within that directory. This makes it so the files are only accessible through a php script or through ftp/ssh access. It's a pain if you want them accessible through a web interface since you have to write a script that serves up the document, but I think the security is worth it. (also with this approach you should make sure they file being uploaded isn't named .htaccess obviously)

    Cheers,
    Nolan

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.