[wp-trac] [WordPress Trac] #24728: Provide option to disable / remove swfupload
WordPress Trac
noreply at wordpress.org
Sat Nov 18 12:31:59 UTC 2017
#24728: Provide option to disable / remove swfupload
-------------------------+-----------------------
Reporter: msaffitz | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Upload | Version:
Severity: major | Resolution:
Keywords: needs-patch | Focuses:
-------------------------+-----------------------
Changes (by bilalakil):
* status: closed => reopened
* resolution: maybelater =>
* severity: normal => major
Comment:
Hi there, bringing this back up due to a recent incident on my WordPress
site. It was hacked somehow and a foreign PHP file turned up at wp-
includes/js/swfupload/ukqdwrmx.php, and started spamming people the
webhost shut down my site.
I didn't check the contents of that file before I deleted it (which I
regret - would've been interesting).
While this is just a guess, it might be the case that this deprecated
swfupload thingy has had a vulnerability revealed in the last few years,
and is now being exploited. If this is true, it might be a matter of
urgency to remove it from WordPress.
This suspicious code snippet indicates that it may indeed be used as an
exploit: https://packetstormsecurity.com/files/121348/SWFUpload-CSRF-XSS-
Object-Injection.html
You can see the following example URLs:
http://<redacted>/wp-
includes/js/swfupload/swfupload.swf?buttonImageURL=http://1337day.com/img/logo_green.jpg
https://<redacted>/wp-content/plugins/bp-
gallery/inc/js/swfupload/swfupload.swf?buttonImageURL=http://1337day.com/img/logo_green.jpg
Concerning that it's also in some plugins...
I'm not the most educated on this matter, but just wanted to bring the
topic back up for consideration.
Cheers,
Bilal.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24728#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list