Follow

08/15/17: WordPress (CMS) CM Download Manager alterSearchQuery Remote PHP Code Execution | Security Bulletin

Threat Summary

Overview

The alterSearchQuery used by CreativeMinds CM Downloads Manager plugin prior to version 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code.

Exploitation

Stages

  1. The malicious user sends a malicious search request to the CM Downloader plugin.
  2. The CM Downloader plugin sends the query to be processed by CmdownloadController.php.
  3. The result of the malicious search request is sent back to the malicious user.

Prerequisites

Unauthenticated remote access to the web server is required to exploit the application vulnerability.

Vulnerability Description

The alterSearchQuery function in “lib/controllers/CmdownloadController.php” used by the CreativeMinds CM Downloads Manager plugin prior to version 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code. This is due to the CMDsearch parameter’s data being processed by the PHP create_function function.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedures, such as:

  • Isolate the compromised device from the network.
  • Wipe and reinstall the device from secure media.
  • Patch the vulnerability from a trusted source (or otherwise mitigate with FW, config, etc.).
  • Replace data from backups.
  • Test the device.
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.