How to Secure Your Upload Scripts and How Hackers use Google to find Vulnerable Sites.

This week we’ve seen two new exploits hit the wild, one in the Ghost commercial theme and another in WP-Mailinglist. Both exploit Uploadify and use it to upload malicious scripts or data to websites.

We’ve seen exploits for several years now that take advantage of various upload libraries. Configured correctly, upload libraries can be a useful tool. The problem is that some plugins and themes include these libraries by default, even if a site owner has no intention of uploading files to their site.

So in this alert we’re recommending that you do an audit of your site, in particular your active WordPress theme, and check if any upload library or functionality exists in your theme.

Theme authors seem to put upload libraries in subdirectories titled ‘includes/’, ‘libs/’, ‘vendors/’ and so on. For example the Ghost theme puts Uploadify in “includes/uploadify” and the WP-Mailinglist plugin puts it in a subdirectory of the plugin called “vendors/uploadify”.

We recommend that you use CPanel’s File Manager, your FTP client or whatever utility your host has provided to explore your website directory structure to browse through your active theme’s subdirectories and check if there is anything that looks like an upload library. You can find your active theme’s files in wp-content/themes/your-theme-name/

Upload libraries include “SWFUpload”, “HTTP_Upload”, “class.upload.php”, “Uploadify” and “jQuery-file-upload”. If you find anything that looks like an upload library and you’re not ever uploading files to your website, drop the theme maker a polite email and ask them how to disable upload functionality completely to help secure your site.

Be careful that you don’t simply delete the upload library because it may break your theme if there are files in the theme that depend on the upload library and suddenly can no longer find it.

Now some security trivia: Did you know that hackers find vulnerable sites by using something called a “Google Dork”? It’s a crafted search that exposes websites running a vulnerable theme, plugin or application version in the Google search results. A recent example of this is the Ghost theme vulnerability I mentioned above. To find websites running this theme, the vulnerability that is currently in the wild and has been published by hackers suggests that hackers use the following crafted search:

inurl:wp-content/themes/Ghost/

As you can see the above search yields about 20,000 results, enough to keep a hacker busy probing sites for quite some time.

Have an awesome Halloween and a spectacular weekend!!

Did you enjoy this post? Share it!

Comments

No Comments