Where has TDO Mini Forms plugin gone?

I haven’t been updating or working on this WordPress plugin of mine for a while now. And it seems it has been removed from the WordPress.org plugin directory.

I’ve put up a temporary mirror link on the page here for it for those desperate enough to want it now. However an exploit was reported against it. Details below.

tl/dr An exploit was reported to WordPress support. The plugin was pulled. Will be fixed.

I think the term “exploit” is a not completely true. I’m not able to replicate the exploit on my web servers.

You have to have a public visible form, with an upload form and allow anonymous users to upload. The reported exploit uses only the first form, but in theory any form could be used. You temporary upload folder must also be publically available, but if you the post is automatically published, then the uploaded file will be publically available.

But you must also have your webserver configured to execute files as .php even if their extensions are .jpg. On my host and even on my default test setups, this is not the default. I’m not a big enough web server admin expert to properly understand all the ins and outs of this part, but generally it’s outside the scope of wordpress or tdo-mini-forms.

Example, the exploit user would upload script_to_run.php.jpg to your upload form. They’d then run it using a URL (if it’s public from the temp folder (uploads are kept for one hour). My setup would always treat that file as Image file and so it wouldn’t run.

See this thread from wp-hackers mailing list for more info on it.

If you think you’re currently affected, remove the upload widget from your forms or only allow trusted users to upload files.

WordPress does have some code now to remove the double extension. So I plan to update tdo-mini-forms to do this. I’m afraid I don’t currently have a test bed or a huge amount of time to fix this, but I will do it in the next month or so.

Related Posts: