I don’t use this plug-in, but noticed someone made the claim about upload shell scripts via your plug-in. I pretty much called it shenanigans, since if you’re a logged in user, who has access to upload files, you would be able to arbitrarily upload any file to begin with, since any logged in use if they have access to the media uploader, could do the same thing. I don’t see it as a true attack, so much as the potential for abuse by lower level users who have login access to the site.
You can read about the supposed vuln disclosure here: http://packetstormsecurity.com/files/119159/WordPress-SB-Uploader-3.9-Shell-Upload.html
In the event a WordPress site left user registration open, and this plug-in is accessible to low level users who can’t even edit pages, but can make blog posts, I could see how it can be abused, but still, a logged in user being able to upload files is not in my eyes a true attack or vulnerability so much as maybe an abuse of their account privileges.
My suggestion though, would be to change your plug-in, to not be available to users with roles lower than admin and editor, as well as making it so no PHP files can be uploaded via your tool, and only proper media such as images, music, video and text documents can be upload. File types I would restrict, PHP, PL, SWF, and so on, so that no one can upload scripts or malicious flash files to the sites, and removing the ability for new registered users from having access if they aren’t part of the admin group role.
- The topic ‘Possible file type issue’ is closed to new replies.