If you use Revolution Slider or a theme that includes Revolution Slider, it is likely vulnerable to a Local File Inclusion (LFI) attack. This lets you download arbitrary files from the server, assuming you have privileges and know the correct relative path. I don’t include Revolution Slider in any website I do, but several of my hosting clients use it and I was able to verify that this is a real attack and currently being exploited.
Since this is currently being exploited in the wild, rather than try to figure out how to update the plugin or wait for a theme update, I manually patched this plugin on servers that I manage.
You can Jump to the Patch Table of Contents Below if you want to skip the following info on the vulnerability.
The vulnerability is a Local File Inclusion attack, which allows an attacker to view or download files on the server. The user does not need to be logged in. For instance, you can download the wp-config.php file by going to the following url: your_website_domain.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
If you have an unpatched version of Revolution slider and you goto the above url, changing out ‘your_website_domain.com’ with the correct url, you will be able to download the site’s wp-config.php file and see all database credentials on the site. I tested this with the hosts file as well, located in /etc/hosts, and as you would expect, it let me download it. You just need to change the img= GET Variable.
Reportedly, ThemePunch, the company that developer the plugin, kept mum on the problem, although they did release an update for it several months ago.
Unfortunately, since the plugin is often packaged with themes, the theme would have to release an update. And, many sites will be unable to update the plugin even if it was legitimately purchased for their site. This was the case in all the sites I checked, as the site was built by someone else who included Revolution Slider(presumably with a valid license) and there is no mechanism to update the slider, without paying for a new copy or reaching out to the company that developed it to get a new copy.
*This is a quick patch meant only to stop the current attack. Ideally, you should upgrade the plugin. See the ‘Problems with this patch’ section.
The file that contains the vulnerability is image_view.class.php.
If you have a plugin, it would be installed /wp-content/plugins/revslider/inc_php/. If you have Revolution Slider installed in a theme, the location may vary. For example, the Avada Theme has it in /wp-content/themes/Avada/framework/plugins/revslider/inc_php/
If you are running Linux, you can run the command, which uses mlocate(on centos): locate image_view.class.php
Open image_view.class.php in a text editor and find the outputImage function. It is probably around line 142. You can do a search for private function outputImage($filepath){
Find the following line: $ext = strtolower($ext);
Add the following below $ext = strtolower($ext);
$good_extensions = array('jpg', 'png', 'gif', 'jpeg', 'tiff', 'bmp'); if(empty($ext) || !in_array($ext, $good_extensions)){ header("HTTP/1.1 403 Unauthorized" ); die('Unauthorized'); }
After patching, goto the following url on your website and verify that it no longer lets you download the wp-config.php file: your_website_domain.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
After patching the Revolution Slider Plugin, you should review logs for affected sites. This vulnerability is currently being exploited. All of my sites, even those that do not use Revolution Slider, had been crawled to see if they were vulnerable multiple times. You can search the access logs for ” to see if they have been crawled. Since this vulnerability potentially gives them access to any file on the server that the web-server user has privilege to access, they could of potentially viewed other files, like password files.
At minimum change the database password and change the wordpress Authentication Keys.
There are a few problems with this patch, so my recommendation would be to attempt to ideally update the plugin/theme via ThemePunch(the developer.) Barring that, it needs to be reviewed in more detail for security issues.
Problems:
For one, it still allows a user to download images that are outside of the plugin’s saved folders. That is, you would still be able to download an image located in the /etc folder.
Another problem is that it is using a small subset of image extensions and relying on the data returned from getPathInfo to determine if the file can be viewed.
Finally, it doesn’t address the core security issues with Revolution Sliders admin actions. It just mitigates it. Really, this sort of attack should be stopped prior to reaching the outputImage function.
Add a Comment