A number of arbitrary file upload vulnerabilities are present in version 0.0.32 of the social WordPress plugin. The vulnerabilities exist due to the lack of validation or filtering of the file types that can be uploaded using the plugin. The upload functionality lacks any authentication mechanisms which could restrict the use of the functionality to authorized users only. The functionality has been duplicated multiple times throughout the script with only minor changes making exploitation possible using any one of five scripts. The vulnerability can be easily exploited using a simple unauthenticated POST request to upload malicious executable files, such as web shells, to achieve remote code execution on the server.
Exploitation
Stages
- An executable PHP file is submitted via an upload POST request to one of the five vulnerable scripts.
- The server responds with a ‘302’ redirect to a corresponding social plugin admin page.
- The attacker requests the uploaded file, resulting in remote code execution.
Prerequisites
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.
Comments
0 comments
Please sign in to leave a comment.