There is an arbitrary file upload vulnerability in the WordPress plugin Gravity Falls before version 1.8.20.5. The vulnerability is caused by a lack of sanitization on the user input. A remote unauthenticated attacker can send a request to ‘/?gf_page=upload’ uploading a malicious file. This exploit could lead to the total compromise of the server.
Exploitation
Stages
- The remote unauthenticated attacker sends a POST request to ‘/?gf_page=upload’. The request contains a malicious file to be uploaded.
- The server responds successfully indicating the location and name of the file.
- The attacker requests their malicious file executing arbitrary code on the system.
Prerequisites
The attacker must know if the target server has the vulnerable software installed and running.
Vulnerability Description
There is an arbitrary file upload vulnerability in the WordPress plugin Gravity Falls before version 1.8.20.5. The vulnerability is caused by a lack of sanitization on the user input. A remote unauthenticated attacker can send a request to ‘/?gf_page=upload’ uploading a malicious file. Certain conditions must be met to exploit this vulnerability successfully, such as the ‘form_id’ and ‘field_id’ must be set as integers. The filename must also not be in the list of disallowed extensions. This exploit could lead to the total compromise of the server.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Update to the most recent version of the plugin to mitigate any vulnerabilities.
Comments
0 comments
Please sign in to leave a comment.