Slider Revolution Responsive WordPress Plugin vulnerability

Home Forums BulletProof Security Pro Slider Revolution Responsive WordPress Plugin vulnerability

This topic contains 2 replies, has 2 voices, and was last updated by  AITpro Admin 3 years, 9 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #17892

    AITpro Admin
    Keymaster

    http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

    This type of vulnerability is known as a Local File Inclusion (LFI) attack. The attacker is able to access, review, download a local file on the server. This, in case you’re wondering is a very serious vulnerability that should have been addressed immediately.

    BPS and BPS Pro protect against LFI hacking attempts/attacks in general and block/protect against this specific Slider Revolution Responsive WordPress Plugin vulnerability.  If you have BPS or BPS Pro installed then your site is protected against this vulnerability, BUT you should still upgrade your plugin or theme immediately.

    Test URL/Query String to confirm that this LFI hacking attempt/attack Query String is blocked by BPS and BPS Pro (replace example.com with your actual domain name):

    http://www.example.com/wp-admin/admin-ajax.php?action=test&img=../wp-config.php
    #18486

    Bob
    Participant

    Hi, I received a security log event code WPADMIN-SBR and was checking the forum for a way to avoid this issue: having read the forum notes for this I searched for the URI code which is:

    REQUEST_URI: /wp-admin/admin-ajax.php?action=revslider_show_image&img=..%2Fwp-config.php

    I was then directed to reply #17892 so I am querying in this thread.

    Since the site doesn’t have the revslider plugin and the theme is up to date I cannot take the action suggested. However, I have used the ‘Test URL/Query String and get a 403 response – so it is being blocked.

    Do I need to do any more?
    Thanks
    Bob

    #18487

    AITpro Admin
    Keymaster

    If you do not have this plugin installed then this is just a random hackerbot probe to see if your site does have this plugin installed or a hacking attempt to hack your website.  Automated hackerbots are programmed with exploits to try/test on a website.  The automated hackerbot will either report back to the hacker that this website has a vulnerability or if the automated hackerbot is sophisticated enough it will hack your website and report back to the hacker that this website has been successfully hacked.  That Request URI is blocked because it is a LFI hacking attempt/attack/probe so you will always see a 403 forbidden status reponse for this LFI hacking attempt/attack/probe.

    In other words, this Security Log entry is a logged blocked hacking attempt.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.