Swfupload – Security Threat (2016)

  • RE: root/wp-includes/js/swfupload/

    I had 2 of my client WordPress sites hacked in this past month and they uploaded malicious PHP and JS files to infect the site with a backdoor PHP script. When I found the hacked upload 2 weeks ago in one client’s site, I wondered how did they got into the site while using WordFence Premium?

    Now I think I found the hackers method, I believe they used “swfupload”.

    Any security scan will not show “swfupload” as a danger because WordPress (foolishly) includes these script files for legacy reasons. Apart from that, the files in folder “swfupload” are not needed for current WordPress installs. These are old files and since they are old they are NO longer updated to stop hackers.

    Now that I had 2 client websites hacked and malicious files uploaded, I believe that is the weak spot in WordPress allowing the hacker to gain access.

    Why do I post this string?

    To tell WordPress to STOP including that damn folder and files. Its over 7 yrs of legacy inclusion and its time to end it.

    All WordPress users need to remove that folder and contents and yes, if you have plugin that depends on it, contact the plugin author to get their butts in gear to stop using that vulnerability.

    Unfortunately, since WordPress Dev’s still include it, that means each time WordPress is updated, you need to access your folder/file system via SFTP and delete that folder.

    I am going to notify WordFence to include that folder as a warning as the default setting.

    … and No, any suggested mod to those old files to keep the old swfupload is not a good idea. Hackers are far more intelligent to overcome that than any of us.

    Removing the entire folder is the best move.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to How-To and Troubleshoot. Hacks is for coding questions.

    Now I think I found the hackers method, I believe they used “swfupload”.

    If you have tangible evidence of that then please give this a read.

    https://www.ads-software.com/about/security/

    WordPress Security Risks, Process, and History

    The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately of any potential vulnerabilities. Potential security vulnerabilities can be signaled to the Security Team directly via the email address: [email protected] The Security Team communicates amongst itself via a private email list, and works on a walled-off, private Trac for tracking, testing, and fixing bugs and security problems.

    You can report the details to that email address above.

    Now that I had 2 client websites hacked and malicious files uploaded, I believe that is the weak spot in WordPress allowing the hacker to gain access.

    In all likelihood you need to delouse your installations.

    https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    Unfortunately, since WordPress Dev’s still include it, that means each time WordPress is updated, you need to access your folder/file system via SFTP and delete that folder.

    It’s included for compatibility reasons and is safe. If those files are being access remotely then perhaps you want to block that via .htaccess?

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)\/swfupload\/*
RewriteRule .* - [F]
</IfModule>

    Please test it before you try. If you put that at the top of your .htaccess file then that should work. This should prevent you from having to delete that folder every time you update WordPress.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    Note that the version of “swfupload” included in WordPress is not the original one. It is a forked version that the WordPress team maintains, in order to address any known security vulnerabilities in it.

    You can find the modified files for it here: https://github.com/WordPress/secure-swfupload

    Thread Starter mwarbinek

    (@mwarbinek)

    Thanks for the input. I will certainly keep the suggestions in mind, especially the htaccess mod, yet unless it is unavoidable, swfupload gets deleted.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Swfupload – Security Threat (2016)’ is closed to new replies.