{"id":2060,"date":"2016-12-22T18:07:59","date_gmt":"2016-12-22T15:07:59","guid":{"rendered":"https:\/\/malware.expert\/?p=2060"},"modified":"2016-12-23T10:40:28","modified_gmt":"2016-12-23T07:40:28","slug":"gzpdecode-php","status":"publish","type":"post","link":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/","title":{"rendered":"gzpdecode.php"},"content":{"rendered":"

WordPress Vulnerability in Cherry Plugin – Arbitrary File Upload<\/h3>\n

The Vulnerability allow an attacker to upload all types of files without administrator login.<\/p>\n

\/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/upload.php<\/h4>\n
\r\n\tif(strtolower($_SERVER['REQUEST_METHOD']) != 'post'){\r\n\t\texit_status('Error! Wrong HTTP method!');\r\n\t}\r\n\tif(array_key_exists('file',$_FILES)){\r\n\t\t$upload_dir = isset($_REQUEST['upload_dir']) ? $_REQUEST['upload_dir'] : $upload_dir ;\r\n\t\t$file_name =basename($_FILES['file']['name']);\r\n\t\t$upload_file = $upload_dir.$file_name;\r\n\t\t$result = move_uploaded_file($_FILES['file']['tmp_name'], $upload_file);\r\n\t}\r\n\texit;\r\n<\/pre>\n
This is fixed<\/a> latest version of Cherry Plugin, but all customers won’t update their website and files.<\/p>\n
Interesting comes heres, botnetwork search this old vulnerability and if found they upload malware and backdoor files, which very difficult find because their names are very similar than WordPress core files.<\/p>\n
\r\n188.138.105.42 - - [18\/Dec\/2016:10:36:19 +0200] "POST \/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/upload.php HTTP\/1.1" 200 176 "-" "Mozilla\/5.0 (WordPress.com; http:\/\/support.wordpress.com\/contact)"\r\n188.138.105.42 - - [18\/Dec\/2016:10:36:19 +0200] "GET \/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/object-cache.phtml?ver HTTP\/1.1" 200 551 "-" "Mozilla\/5.0 (WordPress.com; http:\/\/support.wordpress.com\/contact)"\r\n<\/pre>\n
When a backdoor uploaded file successful, it calls it and download more malware on the server<\/p>\n
\r\n188.138.105.42 - - [18\/Dec\/2016:10:36:20 +0200] "GET \/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/object-cache.phtml?level=5 HTTP\/1.1" 200 751 "-" "Mozilla\/5.0 (WordPress.com; http:\/\/support.wordpress.com\/contact)"\r\n188.138.105.42 - - [18\/Dec\/2016:10:37:04 +0200] "GET \/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/object-cache.phtml?level=6 HTTP\/1.1" 200 1183 "-" "Mozilla\/5.0 (WordPress.com; http:\/\/support.wordpress.com\/contact)"\r\n<\/pre>\n
wp-load.php<\/h4>\n
Also, it patch core files \/wp-load.php<\/strong> (end of file) and create new on \/wp-admin\/wp-load.php<\/strong>.So it loaded every time someone request server url. <\/p>\n
\r\n\t\/\/ GZIP compress speeds up page loading. Edit and deleting this code is not recommended!\r\n\t\t@include( ABSPATH . WPINC . '\/SimplePie\/gzpdecode.php');\r\n<\/pre>\n
Backdoor wp-includes\/template.php & wp-includes\/version.php<\/h4>\n
It also modifies template and version file, so it’s check every time site loaded and if missing it load itself back<\/p>\n
\"gzpdecode\"<\/p>\n
Infected files<\/h4>\n
Clean First and filse need manually clean, but other’s can deleted.<\/p>\n
\r\n\/wp-includes\/template.php (Need Clean Manually)\r\n\/wp-includes\/version.php (Need Clean Manually)\r\n\/wp-load.php (Need Clean Manually)\r\n<\/pre>\n
\r\n\/version.php (Remove)\r\n\/wp-blog-content.php (Remove)\r\n\/wp-xmlrpc.php (Remove)\r\n\/wp-admin\/wp-load.php (Remove)\r\n\/wp-admin\/ms-menu.php (Remove)\r\n\/wp-admin\/includes\/images.php (Remove)\r\n\/wp-content\/wp-object-cache.php (Remove)\r\n\/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/object-cache.phtml (Remove)\r\n\/wp-content\/themes\/hello.php (Remove)\r\n\/wp-content\/uploads\/license.php (Remove)\r\n\/wp-includes\/pomo\/so.php (Remove)\r\n\/wp-includes\/SimplePie\/gzpdecode.php (Remove)\r\n\/wp-includes\/Text\/Tiff.php (Remove)\r\n<\/pre>\n
Note!<\/strong> Also scan clamdscan again when you cleaned\/deleted files, because this is backdoor and itself autoinstall back if you are not fast!<\/p>\n
Use our Signatures<\/a> detect malware files.<\/p>\n","protected":false},"excerpt":{"rendered":"
WordPress Vulnerability in Cherry Plugin – Arbitrary File Upload The Vulnerability allow an attacker to upload all types of files without administrator login. \/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/upload.php if(strtolower($_SERVER[’REQUEST_METHOD’]) != ‘post’){ exit_status(‘Error! Wrong HTTP method!’); } if(array_key_exists(‘file’,$_FILES)){ $upload_dir = isset($_REQUEST[’upload_dir’]) ? $_REQUEST[’upload_dir’] : $upload_dir ; $file_name =basename($_FILES[’file’][’name’]); $upload_file = $upload_dir.$file_name; $result = move_uploaded_file($_FILES[’file’][’tmp_name’], $upload_file); } exit; This is fixed … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42],"tags":[58,131,127,129,128,132,39,103,130],"class_list":["post-2060","post","type-post","status-publish","format-standard","hentry","category-vulnerability","tag-backdoor","tag-cherry","tag-file-upload","tag-gzpdecode","tag-gzpdecode-php","tag-plugin","tag-vulnerability","tag-wordpress","tag-wp-load-php"],"yoast_head":"\ngzpdecode.php<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"gzpdecode.php\" \/>\n<meta property=\"og:description\" content=\"WordPress Vulnerability in Cherry Plugin – Arbitrary File Upload The Vulnerability allow an attacker to upload all types of files without administrator login. \/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/upload.php if(strtolower($_SERVER['REQUEST_METHOD']) != 'post'){ exit_status('Error! Wrong HTTP method!'); } if(array_key_exists('file',$_FILES)){ $upload_dir = isset($_REQUEST['upload_dir']) ? $_REQUEST['upload_dir'] : $upload_dir ; $file_name =basename($_FILES['file']['name']); $upload_file = $upload_dir.$file_name; $result = move_uploaded_file($_FILES['file']['tmp_name'], $upload_file); } exit; This is fixed ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/\" \/>\n<meta property=\"og:site_name\" content=\"Malware Expert\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Malware.Expert\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-12-22T15:07:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-12-23T07:40:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode-1024x527.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Malware__Expert\" \/>\n<meta name=\"twitter:site\" content=\"@Malware__Expert\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3\"},\"headline\":\"gzpdecode.php\",\"datePublished\":\"2016-12-22T15:07:59+00:00\",\"dateModified\":\"2016-12-23T07:40:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/\"},\"wordCount\":478,\"publisher\":{\"@id\":\"https:\/\/malware.expert\/#organization\"},\"image\":{\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode-1024x527.png\",\"keywords\":[\"backdoor\",\"Cherry\",\"File Upload\",\"gzpdecode\",\"gzpdecode.php\",\"Plugin\",\"vulnerability\",\"wordpress\",\"wp-load.php\"],\"articleSection\":[\"vulnerability\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/\",\"url\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/\",\"name\":\"gzpdecode.php\",\"isPartOf\":{\"@id\":\"https:\/\/malware.expert\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode-1024x527.png\",\"datePublished\":\"2016-12-22T15:07:59+00:00\",\"dateModified\":\"2016-12-23T07:40:28+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage\",\"url\":\"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode.png\",\"contentUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode.png\",\"width\":2282,\"height\":1174,\"caption\":\"gzpdecode\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/malware.expert\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"vulnerability\",\"item\":\"https:\/\/malware.expert\/category\/vulnerability\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"gzpdecode.php\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/malware.expert\/#website\",\"url\":\"https:\/\/malware.expert\/\",\"name\":\"Malware Expert\",\"description\":\"ModSecurity rules\",\"publisher\":{\"@id\":\"https:\/\/malware.expert\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/malware.expert\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/malware.expert\/#organization\",\"name\":\"Malware Expert\",\"url\":\"https:\/\/malware.expert\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png\",\"contentUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png\",\"width\":408,\"height\":82,\"caption\":\"Malware Expert\"},\"image\":{\"@id\":\"https:\/\/malware.expert\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Malware.Expert\/\",\"https:\/\/x.com\/Malware__Expert\"],\"publishingPrinciples\":\"https:\/\/malware.expert\/editorial-guidelines\/\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/willberg.me\"],\"url\":\"https:\/\/malware.expert\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"gzpdecode.php","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/","og_locale":"en_US","og_type":"article","og_title":"gzpdecode.php","og_description":"WordPress Vulnerability in Cherry Plugin – Arbitrary File Upload The Vulnerability allow an attacker to upload all types of files without administrator login. \/wp-content\/plugins\/cherry-plugin\/admin\/import-export\/upload.php if(strtolower($_SERVER['REQUEST_METHOD']) != 'post'){ exit_status('Error! Wrong HTTP method!'); } if(array_key_exists('file',$_FILES)){ $upload_dir = isset($_REQUEST['upload_dir']) ? $_REQUEST['upload_dir'] : $upload_dir ; $file_name =basename($_FILES['file']['name']); $upload_file = $upload_dir.$file_name; $result = move_uploaded_file($_FILES['file']['tmp_name'], $upload_file); } exit; This is fixed ... Read more","og_url":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/","og_site_name":"Malware Expert","article_publisher":"https:\/\/www.facebook.com\/Malware.Expert\/","article_published_time":"2016-12-22T15:07:59+00:00","article_modified_time":"2016-12-23T07:40:28+00:00","og_image":[{"url":"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode-1024x527.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_creator":"@Malware__Expert","twitter_site":"@Malware__Expert","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#article","isPartOf":{"@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/"},"author":{"name":"admin","@id":"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3"},"headline":"gzpdecode.php","datePublished":"2016-12-22T15:07:59+00:00","dateModified":"2016-12-23T07:40:28+00:00","mainEntityOfPage":{"@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/"},"wordCount":478,"publisher":{"@id":"https:\/\/malware.expert\/#organization"},"image":{"@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage"},"thumbnailUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode-1024x527.png","keywords":["backdoor","Cherry","File Upload","gzpdecode","gzpdecode.php","Plugin","vulnerability","wordpress","wp-load.php"],"articleSection":["vulnerability"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/","url":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/","name":"gzpdecode.php","isPartOf":{"@id":"https:\/\/malware.expert\/#website"},"primaryImageOfPage":{"@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage"},"image":{"@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage"},"thumbnailUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode-1024x527.png","datePublished":"2016-12-22T15:07:59+00:00","dateModified":"2016-12-23T07:40:28+00:00","breadcrumb":{"@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#primaryimage","url":"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode.png","contentUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2016\/12\/gzpdecode.png","width":2282,"height":1174,"caption":"gzpdecode"},{"@type":"BreadcrumbList","@id":"https:\/\/malware.expert\/vulnerability\/gzpdecode-php\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/malware.expert\/"},{"@type":"ListItem","position":2,"name":"vulnerability","item":"https:\/\/malware.expert\/category\/vulnerability\/"},{"@type":"ListItem","position":3,"name":"gzpdecode.php"}]},{"@type":"WebSite","@id":"https:\/\/malware.expert\/#website","url":"https:\/\/malware.expert\/","name":"Malware Expert","description":"ModSecurity rules","publisher":{"@id":"https:\/\/malware.expert\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/malware.expert\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/malware.expert\/#organization","name":"Malware Expert","url":"https:\/\/malware.expert\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/malware.expert\/#\/schema\/logo\/image\/","url":"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png","contentUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png","width":408,"height":82,"caption":"Malware Expert"},"image":{"@id":"https:\/\/malware.expert\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Malware.Expert\/","https:\/\/x.com\/Malware__Expert"],"publishingPrinciples":"https:\/\/malware.expert\/editorial-guidelines\/"},{"@type":"Person","@id":"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/malware.expert\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g","caption":"admin"},"sameAs":["http:\/\/willberg.me"],"url":"https:\/\/malware.expert\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts\/2060","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/comments?post=2060"}],"version-history":[{"count":5,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts\/2060\/revisions"}],"predecessor-version":[{"id":2080,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts\/2060\/revisions\/2080"}],"wp:attachment":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/media?parent=2060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/categories?post=2060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/tags?post=2060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}