Critical Vulnerability Affecting HD FLV Player

  • December 10, 2014

We’ve been notified of a critical vulnerability affecting the HD FLV Player plugin for Joomla, WordPress and custom websites. It was silently patched on Joomla and WordPress, leaving the custom website version vulnerable.

Furthermore, websites running this plugin are also at risk of being used to send spam emails, an issue which wasn’t fixed in the updated version.

Impacts of the Vulnerability

Websites using one of the aforementioned CMS applications and running an outdated version are vulnerable to an arbitrary file download vulnerability which could be used, depending on the platform, to take control of the targeted website. It is important to note that websites using the custom version of this plugin are still vulnerable.

The issue is found in the following files: download.php and email.php

This is what the Download.php code looks like:

HD FLV Player - Download File Vulnerability

From this snippet we can see how the attacker is able to download almost any file they like to the server. There are no security checks being applied before accessing this file, making it accessible, and exploitable, to anyone that knows the url structure to the file.

Same thing goes for email.php, it filters the variables used to send emails:

HD FLV Player Vulnerability

Then it assumes that if the provided referrer field fits the website’s URL, then it’s okay to send this email:

Vulnerability HD FLV Player

Unfortunately, the referrer field can easily be modified by the attacker to match pretty much anything they want, so it’s not any more secure to validate requests this way.

Update (or Delete)!

This is a critical vulnerability.

If you use this plugin on a custom website, we highly recommend you to either remove these two files (download.php and email.php). For WordPress/Joomla! users, be sure to update your plugins/extensions; in this instance applying an update should protect you from the Arbitrary File Download vulnerability. You should still remove the “email.php” file from your site to prevent your mail server’s IP from getting blacklisted, something we see often.

Note that any site behind our Website Firewall (CloudProxy) are automatically protected against this vulnerability.

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

2 comments

  1. Yes delete these email.php and download.php files and then upgrade to the latest version 2.2

Comments are closed.

Related Categories
You May Also Like