there is a exploit in your plugin
type:upload file in version 1.0.4
file:
]]>[plugins-path]/uploader/uploadify/uploadify.php
Plugin uploads all files correctly but doesn’t sends confirmation mail to adminitrator. Hosting is hostgator.com
]]>I did not discover this, but it appears this plug-in, uses the uploadify script, and does not require admin access to execute the script – See here: https://packetstormsecurity.com/files/119219/WordPress-Uploader-1.0.4-Shell-Upload.html
No files of the plug-in, including an upload script, should allow external access to upload files to a users site. The file should be re-written to block non-logged in users, use a nonce to prevent CSRF attacks, and block direct access to the file as well as sanitize what files a user can upload, ie: only allow specific file types such as images and documents, and not php, pl, swf, etc.
]]>I’m trying to use this to provide my client with an option for a user to easily upload images to be used in the next-gen gallery. I’d like to be able to select the full location – ie. it’s not in the uploads folder that the images/files need to go to, but rather to wp-content/gallery/uploads. Is there an easy way to make this change? Thanks in advance.
]]>I have activated the pplugin, can access the settings, but does not show under tools / uploader. What is wrong?
]]>Ths plugin doesn’t work for me. I go through the process of uploading a file and it tells me that the file is successfully uploaded, sends me an email telling me where the file is …then I look there and the file isn’t there. Then I do a ‘find’ for the file at the toplevel directory and the file still isn’t there.
The notification email tells me that the file is in:
/wp-content/uploads/2012/09/<uploadUserName>. That directory exists (only because I created it; the app didn’t) but the file just isn’t there. My uploads directory has permissions rwxr-xr-x. I don’t want to give any looser permissions for obvious security reasons. Furthermore, other uploads work fine under my /wp-content/uploads/ directory.
Really want this to work as it is allowing me to have one user who can upload to a different directory from the rest of the uploaded media content.
I have WP installed on a windows hosting account with GoDaddy…when upload user hits the upload button, progress bar moves across, but at the end the bar goes pink and I get “HTTP Error.”
After attempting the upload, the site shows the new path created per the Uploader admin screen..and I have verified write permissions enabled in those directories.
Any suggestions? Very good chance I am missing something obvious…
Thanks!