Follow

09/25/17: WordPress admin-ajax.php Directory Traversal | Security Bulletin

Threat Summary

Overview

A directory traversal vulnerability in the wp_ajax_update_plugin in WordPress allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter.

Exploitation

 

Stages

  1. The attacker sends a specially crafted request to admin-ajax.php, containing a valid authentication token. The attacker defines the ‘plugin’ parameter as ../../../../../../dev/random and sets the action parameter to ‘update-plugin’.
  2. The wp_ajax_update_plugin function located in wp-admin/includes/ajax-actions.php is called and reads up to 8KB of data from /dev/random. Repeated calls will deplete the entropy pool, resulting in a denial of service condition.

Prerequisites

You must have WordPress version prior to 4.5.3 along with a valid authentication token of at least subscriber privilege.

Vulnerability Description

A path traversal vulnerability exists in the Core Ajax handlers of the WordPress Admin API. The vulnerability lies in the plugin update function 'wp_ajax_update_plugin()'. This function defines the 'plugin' parameter as $_POST[‘plugin’], allowing attackers directory traversal capabilities resulting in a denial of service condition via specially crafted requests. An authenticated attacker can specify the plugin location as /dev/random and deplete the entropy pool over multiple requests.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Detection of this threat is provided via Alert Logic ActiveWatch for Web Security Manager™ service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.

Recommendations for Mitigation

Customers are advised to perform the following actions:

  • Update the plugin to the latest version
  • Disable the plugin and seek an alternative, non-vulnerable plugin
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.