WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Download Manager
[resolved] Malicious Software - process.php (14 posts)

  1. jimisaacs
    Member
    Posted 1 year ago #

    Hello, I recently installed this plugin to replace Download Monitor that I've used for a few years now.

    Not a week since installing it, my hosting company of around 7 years flagged my account because of security concerns based on the plugins/download-manager/process.php file.

    What is wrong with this file, how may it be fixed?

    http://wordpress.org/extend/plugins/download-manager/

  2. jimisaacs
    Member
    Posted 1 year ago #

    I finally took a closer look at this file, and it's pretty open.

    There is no nonce in use here, and I see a possible mysql injection vulnerability here:
    $data = $wpdb->get_row("select * from ahm_files where id='$id'",ARRAY_A);

    It also outputs full file paths on error for example:
    die("".dirname(__FILE__).'/cache/ is missing!' );

    This is just in the top 20 lines.

  3. jimisaacs
    Member
    Posted 1 year ago #

    I have to be honest, if this is the first 20 lines of code I see, I'm pretty worried about the rest of this plugin.

  4. Shaon
    Member
    Plugin Author

    Posted 1 year ago #

    what reason did your hosting company show you and may you please tell me how you found the vulnerability in code. That would be a great help for me and 1000s other user who are using wpdm.

  5. jimisaacs
    Member
    Posted 1 year ago #

    I'm still trying to get more specifics out of them. Everything I've said and looked for so far is just speculation by me. I'll update this thread when I get something more concrete from them.

  6. Shaon
    Member
    Plugin Author

    Posted 1 year ago #

    btw, the lines you mentioned in your reply are completely safe. but please let me know if you get any weak point. That will help me a lot :).

  7. jimisaacs
    Member
    Posted 1 year ago #

    Shaon,

    Thanks for the reply. I received a response, but unfortunately it's pretty general at the moment. To summarize, they said the wp-content/plugins/download-manager/process.php script was causing a server overload (I'm also on shared hosting). They couldn't give me anymore information, but I replied asking for more if possible, I even referenced this thread in the ticket.

  8. jimisaacs
    Member
    Posted 1 year ago #

    I have enabled the plugin again, and it is being monitored by my hosting provider, so I should be able to update this thread with more info if the same thing happens again.

  9. Shaon
    Member
    Plugin Author

    Posted 1 year ago #

    ok, then its not a problem with code actually :). "causing a server overload" may be because of huge downloads from your site and your hosting provider trying to limit it.

  10. jimisaacs
    Member
    Posted 1 year ago #

    I'm sorry, but I'm not an ignoramus. The biggest download on my site is 2MB. Not huge. I haven't added a new download in 3 years.

    I think I need to copy and paste what I wrote at the beginning of this thread, "Hello, I recently installed this plugin to replace Download Monitor that I've used for a few years now."

    All this happened only after I changed to Download Manager. Nothing really in download sizes from one plugin to another. But one caused a server overload some how, and another did not.

  11. rwilki
    Member
    Posted 1 year ago #

    was reported that there were XSS vulnerabilities with this plugin but I think they've been updated...
    osvdb.org

  12. rwilki
    Member
    Posted 1 year ago #

    just tested this plugin and it's awesome. i hope the vulnerabilities are all gone.

  13. jimisaacs
    Member
    Posted 1 year ago #

    @rwilki Thanks for the link, this one http://osvdb.org/show/osvdb/92119 in particular caught my eye as the disclosure date was yesterday. I was thinking a hacker may have exploited a vulnerable link (or many of) on my site and caused a server overload, this is again just speculation by me.

  14. jimisaacs
    Member
    Posted 1 year ago #

    Ok followup on the last comment, this is not the plugin we are discussing, but this one http://wordpress.org/extend/plugins/wp-downloadmanager/

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags