An arbitrary file upload vulnerability exists within versions <= 4.2 of the WordPress rtMedia plugin. The vulnerability allows the successful upload of PHP embedded within images or using multiple file extensions. The uploaded PHP is directly executable on legacy webserver configurations where PHP ‘AddHandler’ directives enable PHP to override media types for files with multiple file extensions. Alternatively, these files could pose a significant threat if chained with a Local File Inclusion (LFI) vulnerability to achieve remote code execution.
Exploitation
Stages
- An unauthenticated remote attacker submits a file upload request to a WordPress server running a vulnerable version of the plugin.
- The server responds with the path to the uploaded file.
- The attacker requests the uploaded file directly. This results in execution on legacy webserver configurations or leverages a separate LFI vulnerability.
Prerequisites
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.
Comments
0 comments
Please sign in to leave a comment.