Lightning Base

Get Started Now

  • Home
  • Tour
  • Pricing
  • Contact
  • About

Blocking the Slider Revolution Plugin Vulnerability

Thursday, September 4th, 2014 / Posted In :Security /  By :Chris Piepho / Comments Off on Blocking the Slider Revolution Plugin Vulnerability

There is a vulnerability for the Slider Revolution Plugin for WordPress that has already been disclosed in forums. More information regarding the vulnerability is available from Sucuri. We are now blocking the attack, and will be updating our block based on logs/feedback to keep clients safe.

The vulnerability makes it is possible for an attacker to read your wp-config.php and find your database credentials, which may allow them to compromise your site’s database. We don’t allow random IP addresses to connect directly to your database, but that may not prevent someone from finding a way to use database info to connect to your DB.

We will force-update plugins when serious vulnerabilities are found, but cannot do that here, because this is a premium plugin, available via ThemeForest. It is also built-into many themes, which makes it particularly problematic. Some users may not even realize they are running the plugin, and it’s hard to say if all themes will update their included files to remove the problem.

In order to fix this, we have added rules to our webapp firewall, ModSecurity, to block the attack. We’ve started by blocking all query strings that include ‘wp-config.php’. This isn’t something that should be used often in a query string, so I don’t expect it to cause many problems (and we haven’t seen any tickets regarding problems so far).

The basic rule we’re using is this:

SecRule ARGS_GET “wp-config.php” “t:lowercase,deny,status:403,log,id:9876543,msg:’wp-config query string'”

If you want to use this on your own server, you should replace the ‘id’ number with a different 7 digit string, making sure it does not conflict with any rules you use. This is just a placeholder here, as we use our own numbering system. This rule will look at all query string parameters and issue a 403 response to any that include ‘wp-config.php’ anywhere in the string. The block will be logged with the message ‘wp-config query string’.

We don’t always post info like this, because it can help attackers work around the block, by knowing what is being restricted. This was just a rough rule, however, which will be refined, and given that we are already seeing it stop attacks fairly regularly, I felt it might be helpful to share.

If you don’t use ModSecurity, it should also be possible to block this with .htaccess, and I believe that WordFence has been updated to protect against the attack.

Hopefully that helps someone running their own server that isn’t sure if they are vulnerable to this issue. If you are hosting your site here at Lightning Base the rule is already applied, you don’t need to take any of the actions described above.



Author : Chris Piepho

Chris is the founder of Lightning Base. You'll find him all over around here - writing on this blog, providing customer service, and handling whatever else needs to be done. You can reach him easily by filling out our contact form and addressing your message to Chris.

WordPress 3.9.2 Released
WordPress 4.0 Released

Menu

  • Home
  • Tour
  • Pricing
  • Contact
  • About

Archives

  • December 2018
  • June 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • September 2015
  • August 2015
  • July 2015
  • May 2015
  • April 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • May 2014
  • April 2014
  • September 2013
  • June 2013
  • April 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • May 2012
  • March 2012
  • February 2012
  • January 2012

WP Host

Lightning Base: Making WordPress faster, easier, better. Take the tour or get started today.

From the Blog

  • WordPress 5.0

    WordPress 5.0 will be released tomorrow, December 6th. This is one of the largest updates WordPress has seen in a long t...

  • WordPress 4.5.3 Security Update Released

    WordPress 4.5.3 was released today, as announced on WordPress.org. The Update This is a security update, it is important...

  • Public Beta Invite: HTTP/2, HTTPS Caching

    We've been working on changes that enable HTTP/2 and built-in caching for HTTPS sites/pages for several months now. At t...

  • Beta: Free SSL via Let's Encrypt

    We have seen an increasing number of clients interested in SSL (https) for their WordPress sites in the past year or so,...

Menu

  • Home
  • Tour
  • Pricing
  • Contact
  • About
  • Affiliates
  • Client Login

© 2020 Lightning Base LLC. All rights reserved. | Privacy Policy | Terms of Use