WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: TDO Mini Forms] URGENT: Security vulnerbility (3 posts)

  1. gmustuk
    Member
    Posted 4 years ago #

    A friend runs tdomf and their wordpress site was just hacked with all content replaced. After a bit of tracking down I found the source which was a php file that somehow got uploaded from what appears to be tdomf plugin.

    I found the file in this directory:

    public_html\wp-content\uploads\tdomf\tmp\1\41.100.204.30
    .admin.php and cmd.php

    WordPress labes uploads and puts them in a folder based on the module that was the source. So this appears to be the valid source

    I'm not sure if maintainers know about this but it looks like there is a major vulnerability in the module using some method of upload. I spent the past 4 hours trying to get things back up.

    http://wordpress.org/extend/plugins/tdo-mini-forms/

  2. the_dead_one
    Member
    Posted 4 years ago #

    Could you check what the settings of the Upload Widget are and make sure that ".php" is not listed "Allowed File Types"?

    If you put .php in this setting, it'll allow anyone to upload a .php file using the form.

  3. jburnham
    Member
    Posted 3 years ago #

    I setup a brand new blog in order to test this issue. No modifications were made to allowed file types and they are still ".txt .doc .pdf .jpg .gif .zip." I was able to upload a simple phpinfo page named info.php.jpg. It appears no actual checking of the file mime type appears to be done so as long as the file extension is allowed, it will be uploaded. The default path is web accessible in a fresh install as it's using the wp-content/uploads/

    At the very least a .htaccess file should be added with something like "Deny from all" to prevent web access to the tdof/tmp folder by default.

    So if a person knows their ip address, they can very easily create a link to the tmp files that were uploaded and access them. Imagine if this were a php file browser script. It can wreak havoc at that point.

Topic Closed

This topic has been closed to new replies.

About this Topic