A growing number of WordPress websites have been infected by
attackers exploiting a vulnerability that remains unpatched in a widely
used plugin called WP Mobile Detector, security researchers warned.
The security flaw stems from the plugin's failure to remove
malicious input submitted by website visitors. Because the WP Mobile
Detector performs no security checks, an attacker can feed malicious PHP
code into requests received by websites that use the plugin.
"The vulnerability is very easy to exploit," Sucuri security
analyst Douglas Santos wrote. "All the attacker needs to do is send a
request to resize.php or timthumb.php (yes, timthumb, in this case it
just includes resize.php), inside the plugin directory with the backdoor
URL."
Uninstall now
With no update available, the most sensible course of action
for vulnerable websites is to completely uninstall WP Mobile Detector. A
partial fix involves disabling PHP execution in the plugin's
subdirectory, but that measure doesn't stop attackers from uploading
malicious files to that directory and linking to them elsewhere online.
Website administrators may also revoke write permissions altogether in
the subdirectory, but that may prevent the plugin from working. Most
application level firewalls don't provide meaningful protection against
the exploits either, although Sucuri said its firewall service does
provide a patch using a virtual hardening engine. The vulnerability can
be exploited only when PHP option allow_url_fopen is enabled.
If the exploit's invocation of resize.php sounds familiar,
it may be because of the recent vulnerability detected in ImageMagick, a
widely used image-processing library that many sites use directly or
indirectly to resize images uploaded by end users. However, Sucuri CTO
Daniel Cid told Ars that there's no connection between the two
vulnerabilities.
Post updated to add link to original disclosure and detail about exploitability.
Comments
Post a Comment