The Ajax For Pro plugin for WordPress contains an arbitrary file upload vulnerability. The vulnerability exists due to insufficient user input validation with regards to uploaded file contents. The current version of the plugin implements a user configurable whitelist of permitted file extensions and will attempt to validate the contents of image files to prevent code injection. The validations present in the plugin code can be easily bypassed and PHP code can be embedded in uploaded files. Public proof of concept codes suggest previous versions may have accepted .php by default while the current version actively strips this extension. The uploaded code can be executed directly on legacy configurations with PHP AddHandler directives using multiple file extensions or chained with LFI/RFI vulnerabilities to achieve remote code execution. The plugin is no longer actively maintained but can still be downloaded for free.
Exploitation
Stages
- An unauthenticated remote attacker uploads a file containing PHP code with multiple file extensions including a whitelisted extension.
- The server responds indicating the file was uploaded successfully.
- The attacker requests the uploaded file directly.
- The file will execute the embedded PHP code on legacy webserver configurations.
Prerequisites
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Disable attachment functionality for forms and restrict access to the Ajax Form Pro uploads folder using an htaccess file. The plugin is no longer actively maintained, and so sourcing an alternative plugin for the same functionality would be prudent
Comments
0 comments
Please sign in to leave a comment.