Content management system providers Joomla and WordPress have patched a critical vulnerability in the HD FLV Player, but custom websites running the Flash video player are still vulnerable.
Researchers at Sucuri disclosed this week that a separate security issue can be abused to send spam and has yet to be patched.
“Websites using one of the aforementioned CMS applications and running an outdated version are vulnerable to an Arbitrary File Download vulnerability which could be used, depending on the platform, to take control of the targeted website,” said researcher Marc Alexandre Montpas. “It is important to note that websites using the custom version of this plugin are still vulnerable.”
Montpas said the download.php and email.php files associated with the FLV Player are to blame.
In a blogpost, Montpas posted code snippets that demonstrate how an attacker can take advantage of download.php to download files from the server.
“There are no security checks being applied before accessing this file, making it accessible and exploitable to anyone that knows the URL structure to the file,” he said.
With the email.php file, Montpas said a Referrer field can be modified by a hacker to match a file’s URL structure.
“Unfortunately, the “Referer” field can easily be modified by the attacker to match pretty much anything they want, so it’s not any more secure to validate requests this way,” he said.
As a mitigation, Montpas said users running the HD FLV Player plug-in on a custom website should remove these two files.
“For WordPress/Joomla! users, be sure to update your plugins/extensions; in this instance applying an update should protect you from the Arbitrary File Download vulnerability,” he said. “You should still remove the “email.php” file from your site to prevent your mail server’s IP from getting blacklisted, something we see often.”
Problems with content management systems such as Joomla and WordPress have been a familiar refrain this year with attackers taking advantage of vulnerabilities in these platforms running millions of websites to launch attacks on a large scale. Most recently, Joomla had an issue with a security patch and had to reissue, leaving sites exposed to a nasty remote file inclusion vulnerability.
And just last week, WordPress dealt with a critical remote code execution vulnerability in a popular plugin, WordPress Download Manager. It could be used to implant a backdoor on a vulnerable site or get access to administrative accounts. Researchers at Sucuri discovered the vulnerability and a fixed version of the WP Download Manager plugin was released last week.