• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Critical Vulnerability Affecting HD FLV Player

December 10, 2014Marc-Alexandre Montpas

FacebookTwitterSubscribe

We’ve been notified of a critical vulnerability affecting the HD FLV Player plugin for Joomla, WordPress and custom websites. It was silently patched on Joomla and WordPress, leaving the custom website version vulnerable.

Furthermore, websites running this plugin are also at risk of being used to send spam emails, an issue which wasn’t fixed in the updated version.

Impacts of the Vulnerability

Websites using one of the aforementioned CMS applications and running an outdated version are vulnerable to an arbitrary file download vulnerability which could be used, depending on the platform, to take control of the targeted website. It is important to note that websites using the custom version of this plugin are still vulnerable.

The issue is found in the following files: download.php and email.php

This is what the Download.php code looks like:

HD FLV Player - Download File Vulnerability

From this snippet we can see how the attacker is able to download almost any file they like to the server. There are no security checks being applied before accessing this file, making it accessible, and exploitable, to anyone that knows the url structure to the file.

Same thing goes for email.php, it filters the variables used to send emails:

HD FLV Player Vulnerability

Then it assumes that if the provided referrer field fits the website’s URL, then it’s okay to send this email:

Vulnerability HD FLV Player

Unfortunately, the referrer field can easily be modified by the attacker to match pretty much anything they want, so it’s not any more secure to validate requests this way.

Update (or Delete)!

This is a critical vulnerability.

If you use this plugin on a custom website, we highly recommend you to either remove these two files (download.php and email.php). For WordPress/Joomla! users, be sure to update your plugins/extensions; in this instance applying an update should protect you from the Arbitrary File Download vulnerability. You should still remove the “email.php” file from your site to prevent your mail server’s IP from getting blacklisted, something we see often.

Note that any site behind our Website Firewall (CloudProxy) are automatically protected against this vulnerability.

FacebookTwitterSubscribe

Categories: Joomla Security, Vulnerability Disclosure

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Karthikeyaniselvaraj

    January 31, 2015

    Yes delete these email.php and download.php files and then upgrade to the latest version 2.2

  2. david

    February 26, 2015

    not resolved bug security?

    Version 2.2 is a bug?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.