An arbitrary file upload vulnerability exists on servers with legacy Apache PHP handler configurations running the WordPress contus-video-gallery plugin <= 2.8, potentially including the current 3.0 release. The vulnerability exists as a result of a legacy web server configuration option combined with insufficient filtering of the uploaded file extensions. The configuration enables files containing PHP to be processed as PHP pages despite having a trailing file extension associated with a different media type. Files containing PHP code and multiple extensions including ‘.php’ can be uploaded and executed, resulting in remote code execution (RCE).
- A file with multiple file extensions ending with a whitelisted extension is submitted via an upload POST request.
- The server responds with a 200 response and ‘Upload Success’ message.
- The attacker requests the uploaded file, resulting in RCE if the server is configured with the appropriate handler.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.