WordPress Exploit Alert: Uploadify.php

uploadify-exploit

Exploit:

Uploadify.php

What is it?

Unrestricted File Upload Exploit. As OWASP explains,

The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.

How is it being used in WordPress?

Uploadify™ is a jQuery plugin that allows you to easily add multiple file upload functionality to your website.  It is used in a lot of WordPress themes and plugin to allow users upload files onto the website server.  However there is a vulnerability in the code that allows unrestricted upload of files:  An attacker might be able to upload arbitrary files containing malicious PHP code because the uploaded file extension isn’t properly checked.

Why is it dangerous?

Hackers exploit the ability to upload files without any restrictions to inject PHP files containing malicious scripts into vulnerable web servers.  Once the malicious scripts are added to the web servers, the hackers then can use these scripts to gain control of your website for their own purposes.

List of vulnerable WordPress themes & plugins:

(Look for “Uploadify” or variations of it in your theme/plugin folders and file names)

All of these folders and files can be found in the /wp-content folder of your WordPress installation, if you use any of them.

Disclaimer: In the past few weeks, our site (and our clients’) is getting hacking attack warnings that someone is trying to hack the site using the vulnerability in uploadify.php. Since Uploadify is an upload utility that is used by other plugins/themes, the following is the list of plugins that the hacker(s) trying to exploit. This is by no means the complete list of themes and plugins using Uploadify, and I will update the list as more information become available. If you come across a vulnerable theme or plugin that uses Uploadify and is not listed, please feel free to mention it in the Comments.

Plugins:

    • /plugins/1-flash-gallery/
    • /plugins/ajax_multi_upload/ (added 7/30/2012)
    • /plugins/annonces/ (Version 1.2.0.1 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/apptivo-business-site/
    • /plugins/auctionPlugin/ (added 7/30/2012)
    • /plugins/bulletproof-security/ (versions prior to 2/11/2011)
      Update 6/20/2012: I was contacted by the developer of BulletProof Security, and was informed that since 2/11/2011 the plugin no longer uses uploadify.php. The latest version of the BulletProof Security plugin is NOT affected by the vulnerability, and is safe to use.
    • /plugins/chillybin-competition/
    • /plugins/comments_plugin/
    • /plugins/doptg/
    • /plugins/foxypress/ (Version 0.4.2.1 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/gpress/
    • /plugins/html5avmanager/
    • /plugins/image-symlinks/
    • /plugins/kish-guest-posting/ (Version 1.2 or older) (added 11/25/2012)
    • /plugins/kish-multi/
    • /plugins/lbg-vp2-html5-bottom/
    • /plugins/mm-forms-community/ (added 7/30/2012)
    • /plugins/motorcycle-inventory/
    • /plugins/nmedia-user-file-uploader/ (Version 1.9 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/nmedia-user-file-uploader-pro-v7/ (Version 7.2 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/pods/
    • /plugins/qr-color-code-generator-basic/
    • /plugins/squace-mobile-publishing-plugin-for-wordpress/
    • /plugins/wordpress-member-private-conversation/ (Version 1.3 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/wp-crm/
    • /plugins/wp-property/
    • /plugins/wp-symposium/
    • /plugins/wpmarketplace/
    • /plugins/uploader/
    • /plugins/uploadify/ (Version 3.0 and older)
      Note: Plugin has been patched. Please update to latest version.
    • /plugins/very-simple-post-images/

Themes:

    • /themes/aim-theme/ (Aim)
    • /themes/deep-blue/ (Deep Blue, Version 1.9.2 and older)
      Update 6/22/2012: The theme has been pulled from WordPress repository. It is advised that you deactivate the theme and delete all the theme’s files.
    • /themes/famous/ (Famous, Version 2.0.5 and older)
      Update 6/22/2012: The theme has been pulled from WordPress repository. It is advised that you deactivate the theme and delete all the theme’s files.
    • /themes/fresh_trailers/ (Fresh Trailer)
    • /themes/fresh_trailers_v2/ (Fresh Trailer V 2.0)
    • /themes/pronto/ (Pronto)
    • /themes/trulyminimal/ (TrulyMinimal, assuming Versions prior to 1.1.3)
      Added 12/13/2012: I contacted the developer of the theme, and he assured me that the latest version (v1.1.3) of the theme is safe from being exploited. He also sent me an updated theme package with an updated, more secure UPLOADIFY.PHP. However what he sent me is not yet available for download from the developer’s website. If you’re using this theme, I strongly recommend that you contact the developer to get the most updated version of the theme package, one with the updated UPLOADIFY.PHP.

    • /themes/u-design/ (U-Design, versions prior to 1.6.1)
      Added 7/5/2012: I asked the developer of the theme if the latest version is patched, and here is his reply:

      yes in the theme’s latest version 1.6.1, which should be out sometime today July 5th, the uploadify.php file has been patched, and within the next couple of days I’ll be posting another update of the theme with Uploadify completely removed from the theme.

      In other words, if you’re using this theme, please be sure you download and install the latest version (1.6.1).

    • /themes/wp-eden/ (WP Eden)
    • /themes/wpnavigator/ (The Navigator)
    • /themes/zcool-like/ (ZCool Like)

What to do if you’re using one of these plugins or themes?

    • Make sure you are using the most updated version of the plugin or theme. The vulnerability might have been patched already in the latest version.Check out the plugin/theme’s changelog to see if the vulnerability has been patched.
      • Contact the theme or plugin developers and let them know about the exploit. Ask them to patch it if they have not already.
    • If possible, deactivate and delete the vulnerable (or unpatched) plugins/themes.
      • Deactivation alone is not enough, as a lot of the exploits do not need the theme or plugin to be active in order to work.
    • If you must use the plugin- or theme-in-question, rename the vulnerable file (uploadify.php or other variations) to something totally different.
      • Be sure you update ALL the plugin or theme files that make calls to this renamed file, otherwise the theme and plugin will break.
      • Added 6/29/2012: Check out these suggestions provided by the developer of Uploadify.

IT Pixie Can Help!

Not only we can help you deal with the vulnerability in your themes and plugins, we can also help you clean up and regain control of your site if you have unfortunately been hacked.  We will implement security measures to harden your WordPress site, as well as monitoring it closely so we can respond to any emergency situations quickly.

Visit our Service page for details.  Or contact us to get your Personal IT Helper today!

Update 6/22/2012:
Added additional information from WP Security Lock: here, here and here.

Update 6/23/2012:
wpStoreCart, while not using the Uploadify script, has a similar Unrestricted File Upload vulnerability in php/upload.php (see details). If you’re using this WordPress ecommerce plugin, be sure you have the latest version. Versions 2.5.29 and older are vulnerable, the minimum safe version is 2.5.30.

Update 6/26/2012:
Read Sucuri’s post about Uploadify.

Update 8/1/2012:
The developer of Nmedia Users File Uploader and Nmedia WordPress Member Conversation informed me that both plugins, as well as the pro version of Nmedia Users File Uploader, have been patched and have had the Uploadify files removed. If you’re using these plugins, please update to the latest versions immediately.

  • Pingback: WordPress-Modul Uploadify als Einfallstor | virtualfiles.net

  • Pingback: » WordPress Uploadify Vulnerability - Roger's Information Security Blog

  • http://sucuri.net Andres Armeda

    Good post! We reported on the Uploadify issues last year – http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html They were discovered around the time the TimThumb vulnerability was disclosed.

    • http://itpixie.com/ IT Pixie

      Thank you, and thanks for the link. I see tons of attack attempts using TimThumb still, even after more than a year. And I still come across themes or plugins using vulnerable versions of TimThumb, it’s scary!

  • Pingback: Security Vulnerability

  • Dams

    Theme : /wp-content/themes/u-design/scripts/admin/uploadify/uploadify.php
    ( hacked by 196.203.60.34 and 46.248.192.217 ) :(

    • http://itpixie.com/ IT Pixie

      Thank you for the heads-up! This is interesting, since I have not seen any attempts using this particular theme. It looks like in version 1.5 there was some kind of “fix” to the Uploadify script that’s used in the theme, so may be the theme has been patched?

    • http://itpixie.com/ IT Pixie

      If you’re using an old version of the U-Design theme (anything before 1.6.1), be sure you update the theme right the way! The latest version (1.6.1) of the theme is patched.

  • http://twitter.com/yourcodegarage CodeGarage

    Great post – we’re seeing a pretty significant wave of attacks using uploadify as of this weekend – this is a great resource to point people at. Thanks!

  • Pingback: Recent wave of attacks targeting Uploadify | Code Garage Blog

  • Pingback: wp-coder.net » Recent wave of attacks targeting Uploadify

  • Pingback: A Free wordpress newsletter » Recent wave of attacks targeting Uploadify

  • nmedia82

    /plugins/nmedia-user-file-uploader/
    /plugins/wordpress-member-private-conversation/

    both plugin have been fixed for exploits. uploadify.php is removed from these plugins and they are active on wp after verification.

    • http://itpixie.com/ IT Pixie

      Thank you so much for the update! I’ve updated the post with this new info. May we assume that Nmedia User File Uploader Pro v7 has also been patched? I couldn’t find the changelog to verify. Thank you again!

      • nmedia82

        thanks for your prompt action, well Pro Version 7.3 is also secure. Please update the post.

        • http://itpixie.com/ IT Pixie

          Thank you again for the additional info! Post has been updated.

          • nmedia82

            thanks for all your great effort and information.

  • Pingback: Blogprojekt-Podcast #33 – attraktive Artikeltypen » Podcast » Podcast, Blog, Artikel, Traffic, News

  • Geoffrey McRae

    Just upgrading uploadify is not enough, it may be checking extension properly now, but it is still not restricting the uploads to authorised users only. You can patch the script for word press very simply by adding the following:

    /* security patch for wordpress */
    define(‘WP_USE_THEMES’, false);
    require(‘../../../../../wp-blog-header.php’);
    if (!current_user_can(‘level_10′))
    die(‘access denied’);

    This will ensure the current user trying to use the script is the administrator.

  • Pingback: Webseite gehackt? Wir erklären Euch, was Ihr nun tun müsst