Support » Plugin: WP Job Manager » Job Manager Uploads Folder Hacked

  • Resolved gstar

    (@gstar)



    We are getting hackers uploading files to:

    wp-content/uploads/job-manager-uploads/company_logo/

    Any way of solving this?

Viewing 15 replies - 1 through 15 (of 15 total)
  • Same here 🙁

    We have seven websites running WP JOB MANAGER plugin and all have been infected and one even blocked by the domain registrar!!

    Please, we need an urgent solution to this.

    Well this is concerning! What file types where uploaded? Luckily my install has not been infected.

    Based on a cursory look, things look secure in that the plugin limits mime types both on the client side with javascript (easily bypassed) but then also in the job_manager_upload_file() and job_manager_get_allowed_mime_types() functions in the file /wp-job-manager-functions.php where the company logo allowed mime types are png, gif and jpeg.

    In all cases it was either gif or jpg.

    This triggered some strange security warning from some security company and one domain even got blocked based on this (until I removed the file).

    Also my host was warned.

    Were the gif or jpg files images that were uploaded used in spamming or phishing?

    It would seem anyone can join as an employer and basically use the jobs website as an image host, even before the job is approved their uploaded image file already exists at:
    http://JOBS-DOMAIN/wp-content/uploads/job-manager-uploads/company_logo/2017/07/USERS-ILENAME.jpg

    Which the abuser then img src’s in a spam or phishing email. Then your host/domain provider hears about it when the phishing attack is reported, they see you as hosting the image host and believe you’re site is compromised.

    i am thinking a good way prevent this is for WP Job Manager to release a fix where the company_logo, featured image, and resume files are given random filenames so that the attacker can not know what the filename would be until the job is approved… but we would of course not approve a job after seeing a malicious image file.

    • This reply was modified 1 year, 2 months ago by  etheos.
    • This reply was modified 1 year, 2 months ago by  etheos.
    • This reply was modified 1 year, 2 months ago by  etheos.

    Hmmm my post disappeared after I edited it. Here it is again:

    Were the gif or jpg files images that were uploaded used in spamming or phishing?

    It would seem anyone can join as an employer and basically use the jobs website as an image host, even before the job is approved their uploaded image file already exists at:
    http://JOBS-DOMAIN/wp-content/uploads/job-manager-uploads/company_logo/2017/07/USERS-ILENAME.jpg

    Which the abuser then img src’s in a spam or phishing email. Then your host/domain provider hears about it when the phishing attack is reported, they see you as hosting the image host and believe you’re site is compromised.

    I am thinking a good way prevent this is for WP Job Manager to release a fix where the company_logo, featured image, and resume files are given random filenames so that the attacker can not know what the filename would be until the job is approved… but we would of course not approve a job after seeing a malicious image file.

    Well I just added this filter to my functions.php which will rename WP uploads to be a hash of the original filename.

    https://stackoverflow.com/questions/3259696/rename-files-during-upload-within-wordpress-backend

    HOWEVER, on testing this I just realized that it’s pointless because as soon as someone Upload a company logo in a job submission form, their uploaded filename url is revealed to them in the thumbnail preview right there on the job submit form. even before they submit the job.

    So clearly my idea would not work. Perhaps the thumbnail could be displayed by way of an img src to a php file that acts as a gate, serving up the image encoding of the thumbnail if it’s request has a referrer coming from the website or if the request is made say within 5 minutes of the file names creation date.

    • This reply was modified 1 year, 2 months ago by  etheos.

    Yes, exactly that was the issue.

    The uploaded file is a phishing/spam use and our site gets the responsibility.

    Very dangerous! I hope there is a solution for this.

    Or a way to turn off image upload? Not like many employers are even using it.

    This $39 addon plugin, WP Jobs Manager Field Editor:
    https://plugins.smyl.es/wp-job-manager-field-editor/
    allows you to disable the Feature Image from the jobs fields and the Company Logo from the Company fields, however I have not tried this so I can’t guarantee there isn’t any issues with disabling these, but it should work fine I believe.

    Employers on my site use company logos on most posts and I feel it really helps spruce up the listings.

    It would be great if WP Jog Manager could come up with a fix to prevent their plugin from being used as a way for spammers/phishers to host images. In addition to my other suggested fixes, even just limiting the thumbnail to a 50×50 image would be effective. Currently the thumbnail preview that is img srced on the job submit form after upload is the full file that was just uploaded, so a spammer can basically upload and then hot link to a 800px or larger image by simply going to the job post form and selecting it from their hard drive! If WP Job Manager could resize this image to 50×50 before displaying it on the form, that would greatly limit the appeal to spammers. Currently the thumbnail that the form displays is resized with CSS and all it takes is a right-click on the thumbnail to discover the full size Image URL.

    Plugin Author jonryan

    (@jonryan)

    @gstar @rogier1988 @etheos sorry for the slow response here. Yes, there was a vulnerability reported and we updated the plugin immediately after some discussion. The update was release 29 days ago. Here is the changelog with a link to the issue:

    https://github.com/Automattic/WP-Job-Manager/blob/master/changelog.txt

    I added an announcement and sticky post about this on the forum which can be found here: https://wordpress.org/support/topic/wp-job-manager-1-26-2-released/

    Can you please check the version of WPJM you are running and confirm to us which version you are using. If you are using 1.26.2 and there is a new vulnerability we need to get that sorted out.

    Plugin Vulnerabilities

    (@pluginvulnerabilities)

    @jonryan
    If you read the posts above, what is being reported is that there are people abusing the ability to upload image files through this plugin. The change made in 1.26.2 only “Prevents use of Ajax file upload endpoint for visitors who aren’t logged in”, it isn’t clear what vulnerability that was supposed to resolve since by default anyone can still upload image files through the plugin after that change.

    @etheos proposal seems like it might be a reasonable thing to try to resolve the abuse of this.

    Thanks @pluginvulnerabilities I was going to reply similarly.

    @Jonyran, here’s an example of the abuse…

    1) Someone goes to:
    https://demo.wpjobmanager.com/post-a-job/

    2) They scroll right down to “Feature Image” and click “Choose and Image”
    then select image from hard drive and it uploads.

    3) The thumbnail displays as 100×100. They right click on the thumbnail and copy the full sized image URL which in this case a 2550px x 1600px Sunset:
    https://demo.wpjobmanager.com/wp-content/uploads/job-manager-uploads/featured_image/2017/07/sunset-3.jpg

    They then use it in their spam completely unbeknownst to the website owner.

    If you could only img src a 100×100 thumbnail it would really limit the appeal. Unless the spammer could deduce the name of the fullsize file url by just by removing 100×100 from the filename or by looking at a company logo on another post to see the difference is. If the fullsize file name could each have a random hash or something added to the file’s name that might stop that, like this does:
    https://stackoverflow.com/questions/3259696/rename-files-during-upload-within-wordpress-backend

    Plugin Author jonryan

    (@jonryan)

    @pluginvulnerabilities I can read. Thanks.

    @etheos I understand what you are saying. Previously the ajax uploader worked for non-logged out users which was changed because that was being used as a vector for adding images. Now, files can still be uploaded for non-logged out users but only when the job is submitted (standard form submission). Maybe you can clarify in the cases this happened for you if the spammers are submitting jobs to rule out anything else that might be happening that we are overlooking.

    I definitely don’t want to come off as dismissive of this. I don’t think we considered the idea that spammers would go to the trouble of submitting jobs for image hosting. However, they don’t need to submit the job just get to the preview step to have the image uploaded, so we might need to reconsider how this is handled. One possibility is not showing the logo in the preview step, and it will only show when the job has been submitted and/or approved. Otherwise everyone is going to have to require account creation prior to job submission.

    patwalsh

    (@patwalsh)

    Amazing what tricks hackers get up to!

    So once I saw this raised, thought I’d better look into it for possible solutions.

    One that might work – I haven’t yet tested it – is the following:
    http://www.wpbeginner.com/beginners-guide/4-ways-to-prevent-image-theft-in-wordpress/
    And in particular – 3. Disable Hotlinking of Images in WordPress

    They suggest using the .htaccess file to prevent hotlinking of images from your WordPress site. You can set which sites can use the images on your site and all others are prevented from using them.

    This doesn’t get around the issue of them originally uploading their image file, but at least they can’t then use it.

    Also the use of a security plugin like Wordfence may alert you to the fact your site content is being used for phishing, so at least you’d know about it and could do something about it before it was too late.

    These are all potential partial solutions but still don’t address the issue of the original image upload for nefarious uses by the hacker. Hopefully Google will be my friend in my search for a solution.

    Plugin Support Dat Hoang

    (@htdat)

    @patwalsh: Thank you for detailed solutions.

    I am closing this topic now.

    Please make sure that you all are using the latest version of WPJM.

    Thank you!

    Cheers,

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Job Manager Uploads Folder Hacked’ is closed to new replies.