If you’re a Wordfence user you may have received a notice about a security issue in AdRotate Banner Manager recently. This issue supposedly lets people upload dangerous files, for example a file carrying bad code posing as a jpg image.
Supposedly this was reported to me in 2022 but I have no memory of ever talking about this. But then 2 years is a long time, so let’s take their word for it. Based on my findings today I guess I couldn’t reproduce the hack with the information I had at the time. And I think communication broke down soon after.
Knowing me I probably argued about the validity of the report, not being able to reproduce the problem, or not fully understanding the problem… I’m no security expert after-all.
The issue with uploading files
AdRotate Banner Manager and AdRotate Pro did not properly verify mimetypes of files at the time. By cheating with file types you could end up uploading a, what you think is a, banner image but in reality it could be a file with malicious code in it. I guess you can call that a type of malware.
A mimetype is what identifies a file as an image, for example a jpg file has a mimetype of image/jpg and a zip file may have something like application/zip.
The risk of getting a malicious file is relatively small and the actual bug does not happen on any of my servers. I had to switch my local test server to PHP CGI to see the hack work. I’m told a few servers with PHP fastCGI and PHP SAPI are affected too but I can’t test that as I don’t have such a server.
Anyway, on April 7th 2022 I released AdRotate Banner Manager 5.8.23 which fixed the issue. On April 20th 2022 I released version 5.8.19 for AdRotate Professional, fixing the issue there too. Probably in response to the report but I don’t recall.
The solution was simple and required a better check on the file its mimetype and extension. I don’t really recall what I changed exactly, but I think before this change AdRotate mostly relied on the file extension to be true. Simply checking the file extension is easier, and thus logically I used that method before.
No matter though, AdRotate Banner Manager and AdRotate Pro have been checking things more strict and correctly since 2022 and the malicious files can no longer be uploaded as far as I can tell.
The real issue though
I don’t know who’s in charge of doing anything at Wordfence but they neglected to verify and confirm my updates which caused the report to remain open for years until they suddenly decided to make it public on August 19 2024. Even the creator of the report claims to have no idea why it’s published now.
Luckily an AdRotate user alerted me so I could investigate.
I think that…
Wordfence should remind the people involved during those 2 years that the issue is still open. But I guess they don’t care that much about making the internet safer after-all.
I also think that Wordfence should alert the people involved that they’re about to disclose a security issue from an older report, say a week before. This way there is a last chance to still fix things before they ruin everyone’s day. But I guess courtesy is not their thing either.
And I think that the messaging Wordfence uses to its users is borderline fear mongering. “Ohno a supposedly high risk issue without a solution. Maybe not think twice and uninstall the software!”. I guess they don’t consider the success of smaller developers either by classifying and wording reports the way they do. Since this particular issue, while dangerous, is not particularly high risk. Imagine the damage they cause those developers with their generic messaging to unwitting users who trust their crap.
And finally I think Wordfence is hard to reach and slow to respond for things like this. Yes they have an email address, but it’s a ticket system and only available during office hours in the US or something. Imagine having something urgent like a faulty report telling people falsely that their website is at risk.
Yeah, imagine… Geez!
Closing the report
Hopefully Wordfence gets their sh*t together soon and processes my emails so we can all stop being mislead by their incompetence and so we can stop wasting everyone’s time.
Here’s hoping someone at Wordfence finally updates the report with the correct information like they should have done 2 years ago.
What a f*cking shitshow!
The only positive so far to come from this is that I found another bug, where AdRotate does not check if a created folder already exists. So that’ll be fixed in a near future update.
Your questions
If you have any concerns or have any useful feedback or just want to know a bit more about all this. Feel free to contact me through the contact form elsewhere on this site.
I’ll be happy to try and answer your messages with more information.
