WordPress.org
Get WordPress

Make WordPress Core

Opened 10 years ago

Closed 6 years ago

Last modified 6 years ago

#24728 closed enhancement (invalid)

Provide option to disable / remove swfupload

Reported by: msaffitz's profile msaffitz Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Upload Keywords:
Focuses: Cc:

Description

This suggestion is in response to the vulnerability discussed here: https://github.com/wordpress/secure-swfupload/issues/1

Given swfupload is deprecated, it'd be nice to provide an option to disable and/or remove it from an install to reduce potential attack surface. Ideally this could be done in such a way that plugins could detect whether swfupload were available or not, but I'm not sure how feasible that is or even if it would be ideal, since the work to implement detection would be better spent just upgrading to plupload.

Change History (10)

#1 @nacin
10 years ago

You can simply delete the wp-includes/js/swfupload/ directory.

#2 follow-up: @msaffitz
10 years ago

Would that cause issues for upgrades? (i.e. Would the files be added back on upgrade to newer versions of WP?)

#3 in reply to: ↑ 2 @nacin
10 years ago

Replying to msaffitz:

Would that cause issues for upgrades? (i.e. Would the files be added back on upgrade to newer versions of WP?)

Yeah, technically.

#4 @nacin
9 years ago

  • Component changed from General to Upload

#5 @chriscct7
8 years ago

  • Keywords needs-patch added
  • Milestone Awaiting Review deleted
  • Resolution set to maybelater
  • Status changed from new to closed

comment:1 though :-)

Closing as maybelater. Complete lack of interest on the feature on the ticket over the last 2 years. Feel free to reopen when more interest re-emerges (particularly if there's a patch).

#6 @bilalakil
6 years ago

  • Resolution maybelater deleted
  • Severity changed from normal to major
  • Status changed from closed to reopened

Hi there, bringing this back up due to a recent incident on my WordPress site. It was hacked somehow and a foreign PHP file turned up at wp-includes/js/swfupload/ukqdwrmx.php, and started spamming people the webhost shut down my site.

I didn't check the contents of that file before I deleted it (which I regret - would've been interesting).

While this is just a guess, it might be the case that this deprecated swfupload thingy has had a vulnerability revealed in the last few years, and is now being exploited. If this is true, it might be a matter of urgency to remove it from WordPress.

I'm not the most educated on this matter, but just wanted to bring the topic back up for consideration.

Cheers,
Bilal.

Last edited 6 years ago by chriscct7 (previous) (diff)

#7 @chriscct7
6 years ago

SWFUpload.swf was removed from WordPress core in #41752. If you're still seeing it, please update your WordPress install as it is out of date.

#8 @chriscct7
6 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

#9 @chriscct7
6 years ago

  • Keywords needs-patch removed

#10 @chriscct7
6 years ago

  • Severity changed from major to normal
Note: See TracTickets for help on using tickets.