[Plugin: Easy Comment Uploads] Got hacked because of this plugin!

Well, I haven’t used this plugin, but it appears that the entire point of of it is to allow users to upload files. From the get-go, that’s a security risk, and should have been an obvious one.

In addition, the plugin states:

Does the plugin perform and checks on uploaded files?
The answers to that question is sadly no, not until I get round to adding some (it is still in beta though). Uploaded files will however be bound by the global php settings for uploads which should limit file size but not file type.

So it freely admits it doesn’t do any checks on the type of file being uploaded.

I don’t know what sort of checks the plugin does, if any, on user level, but these things should have been warning signs to you.

Hi,
I maintain the plugin and in the new version I have added a new blacklist of disallowed filetypes which prevents users uploading commom dangerous file types which should reduce the risk but with any upload mechanism there is always potential for exploitation. In future versions I will add the option of a whitelist which only allows certain file types. I am trying to do everything possible to prevent it from being exploitable but if users are allowed to upload files on any site this will increase the exposure to hacking. With uploads you should also consider security on the server side – mechanisms such as suPHP, running the webserver under a chroot and of course keeping regular, offsite backups are always a good idea. It probably also is not a good idea to run beta plugins on a production site ?? .
$blacklist = array(".php", ".phtml", ".php3", ".php4", ".php5", ".php6", ".cgi", ".fcgi", ".htaccess", ".js", ".shtml", ".pl", ".py", ".exe", ".bat", ".sh");

Hopefully the new version is much more secure – if anyone knows any other filetypes which should be blacklisted please tell me.

tomdwright,

and how are you checking filetypes? by the extension?

One word: useless.

I can upload a file named image.gif, and guess what its not an image its a script.

Need I say more?

Please consult php.net for the proper ways to check mimetypes, etc.., as well as the rest of any user input.

Hi,
thank you for the advice – I will review how the files are checked when I have time. I thought that as most servers determine whether files are executed by filetype, if someone uploads a .php renamed to .gif, it will be named .gif on the server anyway so cannot be executed? I have seen a lot of people saying that mimetypes can be spoofed and vary between browsers whereas there are only a fixed no. of filetypes that a server will run a scripts. I have tried googling but everyone seems to disagree on this. I might just blacklist both just to be safe ??

Tomdwright,
I think extension check would be enough, except one situation.
I don’t know how your plugin works, but let’s imagine I upload my javascript and myimage.gif, and it would be loaded from an IMG src tag.

So it could be a potential security hole as well, through XSS.

Ah, if you mean via a rel in the tag for inclusion that is completely filtered. The actual links which appear on the page are simplified to bbcode style [img][/img] and [file][/file] which is then translated into html via a wordpress filter at the time of page generation. Hopefully that prevents the possibility of XSS (the only user input which gets into the main wordpress page is the bbcode link to the uploaded file). I have also been thinking it could generate a custom .htaccess for the upload directory which turns off cgi and php execution to protect against zero day flaws.

If anyone thinks that there might be more problems please let me know and I will look into it ASAP.

you can also chmod the file after it’s uploaded so it’s read only

Hi Tom

Thank you for this plug-in and yes, we have been warned.
It still hurts to be hacked and we need some help.

file upload occurs before actually submitting the comment.
So comment moderation or verification is not the issue.
Except moderation registering users in order to comment.

Info of what happened at my site (3.Sep.09, WP 2.8.4, plugin 0.20):
Hackers found this plug-in through google! then uploaded a back door
script – shell tool as 1251991716-up.php.jpeg then spy.php then
inserted index.html at root then removed scripts.

Thanks in advance..

I have completely rewrote this bit of the plugin in the 0.30 release based on a regular expression checking filenames so now it should be a lot more secure – the issue you were hacked via now should no longer be possible (I now have a folder full of suspiciously named files and am testing each release).

I have also added options to restrict which users can attach images in the options page. You could also set up your webserver to disable script execution in that folder as an additional level of protection. There is also now an whitelist based “images only” option – this will cut down a lot of the “unknown” factor (I cannot blacklist every single executable filetype for every server out there).

As always the plugin’s code is open source so anyone concerned can check it themselves:

// Check upload against blacklist and return safe unless it matches
	function filetype_blacklisted () {
		return preg_match ("/(\\.(.?html\\d?|php\\d?|f?cgi|htaccess|p(er)?l|py(thon)?|exe|bat|aspx?|sh|js)|^\\.|~$)/i", $_FILES['file']['name']);
	}

Anyway, good luck and I hope you enjoy future releases of the plugin.

I am using this plugin in conjunction with other plugins to create a client extranet – This will allow my account managers and clients to easily share files back and forth.

I would like to have an option to upload the files directly into the directory that the client page resides.

IE: I have my WP blog setup so that when a client logs in they are auto forwarded to their own WP page – Using a bit of code that authenticates the page against their login the user is restricted to their page only. This is where I want the files to upload so that only they can access the files that are uploaded to their own client page.

can this be done?

Hello,
Yes, it should be possible. I will just need to modify the plugin to allow you to specify the folder in which files are uploaded and then I will post instructions on how you can include this in your blog.