There is a vulnerability in WordPress in the Nmedia User File uploader <= 1.8 that allows remote unauthenticated users to upload arbitrary files to the system. The consequences of this exploit could lead to a complete compromise of the server. The file doupload.php was created to allow users to upload files; however, there are no attempts to sanitize file types of check authentication levels.
Exploitation
Stages
- The remote unauthenticated attacker sends a POST request to doupload.php and uploads a PHP file to the server.
- The server responds successfully with the location of the file.
- The attacker requests the uploaded file at /wp-content/uploads/user_uploads/.
Prerequisites
The plugin must be installed on the victim system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.
Comments
0 comments
Please sign in to leave a comment.