Uploadify Security Issue
We are sorry to inform you that the Uploadify script used in the Newsletter plugin and Shopping Cart plugin has caused security issues for our users and some sites were hacked. Please note that this is not the fault of Uploadify but rather a flaw in the implementation on our side.
Update: New versions of the Newsletter plugin and Shopping Cart plugin have been uploaded to the Tribulant Software website. Please get them from your downloads section.
What happened exactly?
The Uploadify script is used in the two plugins mentioned for their file upload custom fields so that your users can upload files using Ajax (without page refresh) to upload files accordingly.
The file that handles the upload is
wp-checkout/vendors/uploadify/upload.php where the posted file data is taken and the file is moved to
wp-content/uploads/wp-checkout/uploadify/ where they are accessible.
Hackers have exploited the
upload.php script which handles the upload, uploaded files to the two destinations mentioned above and executed the scripts accordingly through the browser.
How do we fix this?
We have already applied fixes in our latest builds and will be releasing them shortly. In the meanwhile, please handle this on your side since you have an insecure installation.
Please see the Making Uploadify Secure article which was recently posted by Uploadify with instructions on making the script secure against hackers. Go through the points to secure the problem.
If you don’t use any file upload custom fields in the plugins, please just completely delete
If you are using file upload custom fields and you don’t want to lose this functionality, go to
wp-content/uploads/wp-checkout/uploadify and put a blank index.php file in there so the content cannot be seen. Also create a .htaccess file in that directory with the following in it:
deny from all
Options All -Indexes
This .htaccess file will make the directory where files are uploaded inaccessible to the public so that if any scripts are indeed uploaded to that location that they cannot be executed to perform malicious actions.
We apologize for any inconvenience and trouble caused by this! We hope that this blog post reaches everyone quickly and we assure you that we are releasing versions with a security update shortly.