14 DAY TRIAL // The most recent update for the HD FLV Player component for Joomla, WordPress, and custom websites fixed a serious problem but ignored a glitch that would allow an attacker to send spam emails.
HD FLV Player has been downloaded more than 200,000 times for the supported platforms, the Joomla version being more popular than the one for WordPress.
Arbitrary file download possible on vulnerable versions
The developers have recently released a fix against a problem that permitted an unauthorized individual to perform arbitrary file downloads to the server.
With no security checks in place for “download.php,” someone knowing the URL structure to the file could download anything to the server. The implications are severe as this type of action could lead to complete takeover of the website and its use for malicious purposes.
The component has been patched against this flaw, but a similar one is present for “email.php.” In this case, exploitation would result in sending emails.
Marc-Alexandre Montpas of Sucuri explained in a blog post on Wednesday that after filtering the variables used to send emails, the provided “referrer” field is valid for sending emails if it matches the website’s URL.
However, the “referrer” field does not benefit from any protection against modifications and it can be changed to anything an attacker wants.
Users can take action to mitigate risk
In the case of Joomla and WordPress users, the update for HD FLV Player has been delivered silently, but they still have to take some action, as it addresses only the arbitrary file download issue.
The recommendation is to remove the “email.php” file from the website in order to prevent the email server’s address from being blacklisted for sending out spam.
In the case of custom websites, deleting the two files should mitigate the aforementioned risks.
HD FLV Player allows video streaming and it features support for both Flash and HTML5, making the content visible on both computers and smartphones.
The developers have integrated control over the options a viewer has in the player. As such, the admin can allow functions such as sharing, volume control, download, full-screen view, or creating playlists.
Furthermore, admins have the possibility to add captions to the footage, which are displayed on the front-end for users during the play.
The plug-in is free for both Joomla and WordPress, the only limitation being the developer’s logo in the clip. This can be removed by purchasing a license.
