Thursday, August 18, 2016

Example of Wordpress File Disclosure

I saw this attack in the logs and thought it was interesting enough to mention. It's a known exploit for the WordPress Elegance Theme.

POST /wp-content/themes/elegance/lib/scripts/dl-skin.php HTTP/1.1
Content-Length: 60
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded

It's actually quite simple, there is a PHP page called dl-skin.php that contained a POST parameter called _mysite_download_skin that was not properly sanitized / checking file paths. It is supposed to only allow a user to enter a skin file location in the current skins folder. But since it's not properly checking file path traversal the attacker can actually use the ../ shell command to go up/down folder structures and find files they want. In this case they go up 5 folders to where they believe the wp-config.php file is which is your Wordpress configuration file which probably contains keys, passwords, and all sorts of goodies. This can also be used to access the /etc/passwd file or anything else interesting on a server.

To prevent this of course upgrade your themes and plugins and Wordpress. Ideally you should remove themes and plugins you aren't using. In addition the account that is running Apache is of importance in this. If your account has proper least privilege permissions, this can limit what files the account can actually access for the attacker. But if your Apache web account is root for example or some other higher privileged account then the attacker can gain access to pretty much anywhere on your file system.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment