WordPress OptimizePress Theme – File Upload Vulnerability

We’re a few days short on this, but it’s still worth releasing as the number of attacks against this vulnerability are increasing ten-fold.

The folks at OSIRT were the first to report this in late November, 2013. In our cases we’re seeing mostly defacement attacks, and although not devastating, they can be a big nuisance for an unsuspecting website owner.

Please be sure to read the official announcement by the OptimizePress team.

This is an important announcement for OptimizePress 1.0 users. (Please note this does NOT apply to OptimizePress 2.0 which is built with a completely new codebase)

Back in April 2013 we discovered a potential security flaw in part of the code for OptimizePress 1.0. Our developers quickly patched this issue and we released an update to the platform. We also announced this to our customers via email, although it appears now that many of our users may not have received this email. – OptimizePress Team (Read Full)

The Vulnerability

The target of the attack is the following file: lib/admin/media-upload.php. It can be used to upload any file to the wp-content/uploads/optpress/images_comingsoon directory. It doesn’t even change the extension.

Vulnerable versions of this file provide the upload functionality to anyone, while newer patched versions check for the admin permissions first. It is easy to tell one from the other.

The beginning of the vulnerable files:

<?php include "../../../../../wp-config.php"; ?>
<?php get_template_directory(); ?>

The beginning of the patched files:

<?php include "../../../../../wp-config.php";
if ( !current_user_can('add_users') ) {
echo 'You cannot access this file. Sorry.';
exit;
}
?>
<?php get_template_directory(); ?>

There are also two more similarly vulnerable files in version 1.

lib/admin/media-upload-lncthumb.php and lib/admin/media-upload-sq_button.php

Be mindful that the premium themes seem to use the same code across various files, this means you need to scrub the various files to ensure that you’re not leaving other files unpatched. Last thing you want is to patch one and leave another two vulnerable.

They upload here:

wp-content/uploads/optpress/images_lncthumbs and wp-content/uploads/optpress/images_optbuttons

The same current_user_can(“add_user”) patch exists in newer versions.

Working with OptimizePress powered sites

This theme is quite popular, especially within blogs that sell/promote stuff. Many of them still use the older version of OptimizePress – partly because such sites don’t have very good administrators, and partly because the upgrade to newer versions is not free, and the theme can be pricey to some.

So if you find OptimizePress on server, please check your installation.

Look for the following files:

  • lib/admin/media-upload.php,
  • lib/admin/media-upload-lncthumb.php,
  • lib/admin/media-upload-sq_button.php

If they don’t have the current_user_can(“add_user”) patch, then add the following code right after the first line include “../../../../../wp-config.php”;.

Patch:

if ( !current_user_can('add_users') ) {
echo 'You cannot access this file. Sorry.';
exit;
}

Note:There is also an official update that addresses this vulnerability , but it involves downloading the patched files from their member areas.

Next, check the upload directories for suspicious files:

wp-content/uploads/optpress/images_comingsoon
wp-content/uploads/optpress/images_lncthumbs
wp-content/uploads/optpress/images_optbuttons

In the cases we have been working on, we are finding numerous backdoors sprinkled throughout the files that lead to more nefarious acts.

I quick hardening of the uploads directory should help. By this we mean killing PHP execution:

<Files .php>
deny from all
</Files>

Your other option is to leverage our CloudProxy protection service. It was built for vulnerabilities just like this; vulnerabilities that go unnoticed, and are weaknesses in the code that most webmasters are unaware of, and are unable to fix. Existing Sucuri customers can add the service to existing accounts as well.

WordPress 3.8 Released Too

On a different note, WordPress 3.8 was just released. Be sure to run the updates and get current. If you're running 3.7 then you're likely auto updated, but if not be sure to do so.

Scan your website for free:
About Denis Sinegubko

Denis is the founder of Unmask Parasites and a Senior Malware Researcher at Sucuri.

  • Saad Durrani

    >If you’re running 3.7 then you’re likely auto updated, but if not be sure to do so.

    Not really, Auto Updates only run for maintenance releases, for e.g. 3.7 to 3.7.1, but not from 3.7 to 3.8. It can be done unless you manually tinker the wp-config.php file.