Login

Tag Archives: Local File Inclusion (LFI)

6 Apr 2017

Vulnerability Details: Authenticated Local File Inclusion (LFI) Vulnerability in WordPress Ad Widget

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

[Read more]

28 Oct 2016

Local File Inclusion (LFI) Vulnerability in Simple Ads Manager

In a previous post we looked at a local file inclusion (LFI) vulnerability in the plugin SAM Pro (Free Edition), since that is described as successor to Simple Ads Manager (the plugin is currently removed from the Plugin Directory) we took a look to see if it also had the same vulnerability. As it turned out the plugin was not really vulnerable until the same change made to try to fix the issue in SAM Pro (Free Edition), was made to this plugin.

In the prior version, 2.9.8.125, you can see that the file to be included was not user specified (as seen in the file /sam-ajax-admin.php): [Read more]

28 Oct 2016

Local File Inclusion (LFI) Vulnerability in SAM Pro (Free Edition)

One of the reasons that we provide the details of vulnerabilities that we discover is because we have seen from our own experience (and others) that when reviewing those details you will often notice that the vulnerability has not been fully fixed or that there are additional related vulnerabilities. When those details don’t get released, then those issues can remain in the plugin, as something we just looked into shows.

On Wednesday we had a request for a file, /wp-content/plugins/sam-pro-free/js/sam.pro.dialog.js, from the plugin SAM Pro (Free Edition) on one of our websites. Since we don’t have that plugin installed, that would likely be an indication that a hacker is probing for usage of the plugin before exploiting something in it. We didn’t have any vulnerabilities in this plugin in our dataset, so we went looking to see if any had been disclosed. We found a number of pages that all related a Youtube video, Demo Exploiting Sam Pro Free WordPress Plugin LFI to RCE. The video doesn’t really show you anything, so it wasn’t clear if this related to an actual vulnerability or not. Next up was looking over the changelog for the plugin we saw that in version 1.9.55 one the entries was “Possible vulnerability was excluded”. Looking over the changes made between the previous version in the changelog, 1.8.2.51, and that version, there were a number of security related changes made. That included restricting direct access to a number of the files in the plugin, sanitizing some user input, and changes related to the use of a user specified being value used when including a file. [Read more]

20 Oct 2016

Local File Inclusion (LFI) Vulnerability in InPost Gallery

One of the ways we keep track of vulnerabilities in WordPress plugins to provide our customers with the best data is by monitoring our websites for apparent activity by hackers. We recently had a request for a file from the plugin InPost Gallery, /wp-content/plugins/inpost-gallery/js/front.js. We don’t have that plugin installed on the website, so the request would likely be from someone probing for usage of the plugin. In looking over the plugin for something that hackers might target, we found a couple of vulnerabilities and some additional security issues. We are not sure if either of the vulnerabilities we found are are what the hacker was looking for or if there is still some other issue lurking in the plugin.

The more serious of the two vulnerabilities was a local file inclusion (LFI) vulnerability that would have allowed the hacker to cause a specified PHP file to to be included. That type of vulnerability could be used to get around protection in place in a file that restricts it from being loaded directly. [Read more]

14 Jul 2016

Local File Inclusion (LFI) Vulnerability in MailPress

One of the things we do to protect our customers from vulnerabilities in WordPress plugins is to monitor our websites for activity indicating that someone is looking to exploit a vulnerability in a plugin. That recently has been allowing us to detect quite a few serious vulnerabilities that it looks like no one else is spotting, so our service is the only one that actual provides you any warning and therefore any protection against them until they are fixed.

Usually by just knowing that a plugin appears to be of interest to hackers we are able to identify a vulnerability that hackers would actually exploit and is likely the vulnerability that they are attempting to exploit. In the latest case we were not able to figure out what that might be due largely to the fact the plugin is so insecure it is hard to narrow down where we might need to look to figure out what it is they are targeting. We did find one vulnerability that is very serious and could be targeted with the plugin in its default state, but it is not a type of vulnerability that is often exploited, so if the plugin is being targeted by hackers there is likely something else out there as well. [Read more]