2 min Security

Researchers find 30 vulnerabilities in upload functions of web apps

Researchers find 30 vulnerabilities in upload functions of web apps

Using an automated test kit, South Korean researchers found thirty vulnerabilities in the file upload functions of 23 apps, including WordPress. Supposedly, a specific mechanism that is present in apps that are used to offer the possibility of file uploads is the culprit.

The mechanism was found in 23 different types of apps. Content management systems, forums and open-source web applications, among others, were said to contain the vulnerability, allowing malicious parties to take over an entire system. Files could be uploaded and then unpacked, after which they could be used as backdoors.

The researchers built a special tool that is used specifically to see whether certain platforms contain a security feature that prevents the uploading of excecutables: the tool is called FUSE.

Creators of the vulnerable apps found (including WordPress) were notified of the problem, after which a number of them reported that this vulnerability had already been fixed by means of a patch. WordPress announced that it was going to work with it, while there were also creators who indicated that they would not do anything with the data.

The reason for this (given by two creators) was that some of the bugs found required admin access. The reason was that someone with admin access could also reach a server of that service by normal means.

Which of the vulnerabilities found on which platform is present was not disclosed by the academics for security reasons.