Announcing a secure SWFUpload fork

The WordPress security team has officially forked the long-abandoned SWFUpload project and is strongly encouraging all web developers who use SWFUpload to update.

We strongly suggest you do not use SWFUpload. But if you must, use this fork. You can find it on GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ at github.com/wordpress/secure-swfupload.

WordPress does not use SWFUpload, but we continue to include it in WordPress coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. for plugins that have yet to be updated to use Plupload, our upload library of choice. Plupload is written and actively maintained by Moxiecode, the developers of TinyMCE.

We do not condone the use of abandonware. We only wish to make the web a better place by ensuring that developers have access to a secure version of SWFUpload, when the only alternative may be to use insecure code.

This is a fork of SWFUpload 2.2.0.1 and includes cross-site scripting fixes that have been reported by Szymon Gruszecki (CVE-2013-2205 and CVE-2012-2399), and Neal Poole and Nathan Partlan (CVE-2012-3414). It also includes fixes from Yelp’s engineering team for CVE-2012-2399.

WordPress 3.5.2, released moments ago, includes fixes for CVE-2013-2205 and CVE-2012-2399. WordPress 3.3.2 (2012-04-20) included a fix for CVE-2012-3414 and an incomplete fix for CVE-2012-2399.

If you think you have found a vulnerability in this fork of SWFUpload, we appreciate your help in disclosing it to us responsibly. Please email reports of security vulnerabilities to swfupload-security AT wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. These reports will be reviewed by the WordPress security team and by security researchers contributing to this project, including Neal and Szymon.

#security, #swfupload