WordPress.org

Ready to get started?Download WordPress

Forums

Uploader
Uploadify security flaw, plug-in does not require admin access to upload files! (1 post)

  1. DigiP
    Member
    Posted 1 year ago #

    I did not discover this, but it appears this plug-in, uses the uploadify script, and does not require admin access to execute the script - See here: http://packetstormsecurity.com/files/119219/WordPress-Uploader-1.0.4-Shell-Upload.html

    No files of the plug-in, including an upload script, should allow external access to upload files to a users site. The file should be re-written to block non-logged in users, use a nonce to prevent CSRF attacks, and block direct access to the file as well as sanitize what files a user can upload, ie: only allow specific file types such as images and documents, and not php, pl, swf, etc.

    http://wordpress.org/extend/plugins/uploader/

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic