WordPress Exploit Alert: Uploadify.php

uploadify-exploit

Exploit:

Uploadify.php

What is it?

Unrestricted File Upload Exploit. As OWASP explains,

The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.

How is it being used in WordPress?

Uploadify™ is a jQuery plugin that allows you to easily add multiple file upload functionality to your website.  It is used in a lot of WordPress themes and plugin to allow users upload files onto the website server.  However there is a vulnerability in the code that allows unrestricted upload of files:  An attacker might be able to upload arbitrary files containing malicious PHP code because the uploaded file extension isn’t properly checked.

Why is it dangerous?

Hackers exploit the ability to upload files without any restrictions to inject PHP files containing malicious scripts into vulnerable web servers.  Once the malicious scripts are added to the web servers, the hackers then can use these scripts to gain control of your website for their own purposes.

List of vulnerable WordPress themes & plugins:

(Look for “Uploadify” or variations of it in your theme/plugin folders and file names)

All of these folders and files can be found in the /wp-content folder of your WordPress installation, if you use any of them.

Disclaimer: In the past few weeks, our site (and our clients’) is getting hacking attack warnings that someone is trying to hack the site using the vulnerability in uploadify.php. Since Uploadify is an upload utility that is used by other plugins/themes, the following is the list of plugins that the hacker(s) trying to exploit. This is by no means the complete list of themes and plugins using Uploadify, and I will update the list as more information become available. If you come across a vulnerable theme or plugin that uses Uploadify and is not listed, please feel free to mention it in the Comments.

Plugins:

    • /plugins/1-flash-gallery/
    • /plugins/ajax_multi_upload/ (added 7/30/2012)
    • /plugins/annonces/ (Version 1.2.0.1 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/apptivo-business-site/
    • /plugins/auctionPlugin/ (added 7/30/2012)
    • /plugins/bulletproof-security/ (versions prior to 2/11/2011)
      Update 6/20/2012: I was contacted by the developer of BulletProof Security, and was informed that since 2/11/2011 the plugin no longer uses uploadify.php. The latest version of the BulletProof Security plugin is NOT affected by the vulnerability, and is safe to use.
    • /plugins/chillybin-competition/
    • /plugins/comments_plugin/
    • /plugins/doptg/
    • /plugins/foxypress/ (Version 0.4.2.1 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/gpress/
    • /plugins/html5avmanager/
    • /plugins/image-symlinks/
    • /plugins/kish-guest-posting/ (Version 1.2 or older) (added 11/25/2012)
    • /plugins/kish-multi/
    • /plugins/lbg-vp2-html5-bottom/
    • /plugins/mm-forms-community/ (added 7/30/2012)
    • /plugins/motorcycle-inventory/
    • /plugins/nmedia-user-file-uploader/ (Version 1.9 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/nmedia-user-file-uploader-pro-v7/ (Version 7.2 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/pods/
    • /plugins/qr-color-code-generator-basic/
    • /plugins/squace-mobile-publishing-plugin-for-wordpress/
    • /plugins/wordpress-member-private-conversation/ (Version 1.3 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/wp-crm/
    • /plugins/wp-property/
    • /plugins/wp-symposium/
    • /plugins/wpmarketplace/
    • /plugins/uploader/
    • /plugins/uploadify/ (Version 3.0 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/very-simple-post-images/

Themes:

    • /themes/aim-theme/ (Aim)
    • /themes/deep-blue/ (Deep Blue, Version 1.9.2 and older)
      Update 6/22/2012: The theme has been pulled from WordPress repository. It is advised that you deactivate the theme and delete all the theme’s files.
    • /themes/famous/ (Famous, Version 2.0.5 and older)
      Update 6/22/2012: The theme has been pulled from WordPress repository. It is advised that you deactivate the theme and delete all the theme’s files.
    • /themes/fresh_trailers/ (Fresh Trailer)
    • /themes/fresh_trailers_v2/ (Fresh Trailer V 2.0)
    • /themes/pronto/ (Pronto)
    • /themes/trulyminimal/ (TrulyMinimal, assuming Versions prior to 1.1.3)
      Added 12/13/2012: I contacted the developer of the theme, and he assured me that the latest version (v1.1.3) of the theme is safe from being exploited. He also sent me an updated theme package with an updated, more secure UPLOADIFY.PHP. However what he sent me is not yet available for download from the developer’s website. If you’re using this theme, I strongly recommend that you contact the developer to get the most updated version of the theme package, one with the updated UPLOADIFY.PHP.

    • /themes/u-design/ (U-Design, versions prior to 1.6.1)
      Added 7/5/2012: I asked the developer of the theme if the latest version is patched, and here is his reply:

      yes in the theme’s latest version 1.6.1, which should be out sometime today July 5th, the uploadify.php file has been patched, and within the next couple of days I’ll be posting another update of the theme with Uploadify completely removed from the theme.

      In other words, if you’re using this theme, please be sure you download and install the latest version (1.6.1).

    • /themes/wp-eden/ (WP Eden)
    • /themes/wpnavigator/ (The Navigator)
    • /themes/zcool-like/ (ZCool Like)

What to do if you’re using one of these plugins or themes?

    • Make sure you are using the most updated version of the plugin or theme. The vulnerability might have been patched already in the latest version.Check out the plugin/theme’s changelog to see if the vulnerability has been patched.
      • Contact the theme or plugin developers and let them know about the exploit. Ask them to patch it if they have not already.
    • If possible, deactivate and delete the vulnerable (or unpatched) plugins/themes.
      • Deactivation alone is not enough, as a lot of the exploits do not need the theme or plugin to be active in order to work.
    • If you must use the plugin- or theme-in-question, rename the vulnerable file (uploadify.php or other variations) to something totally different.
      • Be sure you update ALL the plugin or theme files that make calls to this renamed file, otherwise the theme and plugin will break.
      • Added 6/29/2012: Check out these suggestions provided by the developer of Uploadify.

IT Pixie Can Help!

Not only we can help you deal with the vulnerability in your themes and plugins, we can also help you clean up and regain control of your site if you have unfortunately been hacked.  We will implement security measures to harden your WordPress site, as well as monitoring it closely so we can respond to any emergency situations quickly.

Visit our Service page for details.  Or contact us to get your Personal IT Helper today!

Update 6/22/2012:
Added additional information from WP Security Lock: here, here and here.

Update 6/23/2012:
wpStoreCart, while not using the Uploadify script, has a similar Unrestricted File Upload vulnerability in php/upload.php (see details). If you’re using this WordPress ecommerce plugin, be sure you have the latest version. Versions 2.5.29 and older are vulnerable, the minimum safe version is 2.5.30.

Update 6/26/2012:
Read Sucuri’s post about Uploadify.

Update 8/1/2012:
The developer of Nmedia Users File Uploader and Nmedia WordPress Member Conversation informed me that both plugins, as well as the pro version of Nmedia Users File Uploader, have been patched and have had the Uploadify files removed. If you’re using these plugins, please update to the latest versions immediately.