A huge vulnerability has been found in the File Manager plugin for WordPress web sites.  While a patch was released on September 1, 2020, millions of attacks are still taking place through unprotected sites…

You can read more about how to protect yourself, and what the threat is.  Don’t worry – if you’re hosted with us we’ve already done everything required if you had the plugin installed.  We’ve even thrown in example code for all you techies out there.

 

What is File Manager?

File Manager is a plugin designed to help WordPress administrators manage files on their sites.  The plugin contains an additional library, elFinder, which is an open-source file manager designed to create a simple file management interface and provides the core functionality behind the file manager.  The File Manager plugin used this library in a way that introduced a vulnerability.

 

Wordpress post entry being worked on from a laptop
The File Manager plugin for WordPress is causing problems…

 

What’s caused this vulnerability?

The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly.  This is even though the connector file was not used by the File Manager itself.

Such libraries often include example files that are not intended to be used “as-is” without adding access controls.  This file had no direct access restrictions, meaning the file could be accessed by anyone.

This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file.

149
150
151
// run elFinder
$connector = new elFinderConnector(new elFinder($opts));
$connector->run();

Any parameters sent in a request to connector.minimal.php would be processed by the run() function in the elFinderConnector.class.php file.  This includes the command that was supplied in the cmd parameter.

71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
public function run()
 {
     $isPost = $this->reqMethod === 'POST';
     $src = $isPost ? array_merge($_GET, $_POST) : $_GET;
     $maxInputVars = (!$src || isset($src['targets'])) ? ini_get('max_input_vars') : null;
     if ((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')) {
         // for max_input_vars and supports IE XDomainRequest()
         $parts = explode('&', $rawPostData);
         if (!$src || $maxInputVars < count($parts)) {
             $src = array();
             foreach ($parts as $part) {
                 list($key, $value) = array_pad(explode('=', $part), 2, '');
                 $key = rawurldecode($key);
                 if (preg_match('/^(.+?)\[([^\[\]]*)\]$/', $key, $m)) {
                     $key = $m[1];
                     $idx = $m[2];
                     if (!isset($src[$key])) {
                         $src[$key] = array();
                     }
                     if ($idx) {
                         $src[$key][$idx] = rawurldecode($value);
                     } else {
                         $src[$key][] = rawurldecode($value);
                     }
                 } else {
                     $src[$key] = rawurldecode($value);
                 }
             }
             $_POST = $this->input_filter($src);
             $_REQUEST = $this->input_filter(array_merge_recursive($src, $_REQUEST));
         }
     }
     if (isset($src['targets']) && $this->elFinder->maxTargets && count($src['targets']) > $this->elFinder->maxTargets) {
         $this->output(array('error' => $this->elFinder->error(elFinder::ERROR_MAX_TARGTES)));
     }
     $cmd = isset($src['cmd']) ? $src['cmd'] : '';
     $args = array();

 

The good news is that elFinder has built-in protection against directory traversal, so an attacker would be unable to use any of these commands on any files outside of the plugins/wp-file-manager/lib/files/ directory.

The attacks we are seeing in the wild are using the upload command to upload PHP files containing webshells hidden in an image to the wp-content/plugins/wp-file-manager/lib/files/ directory.

 

What are the indicators of a compromise?

We are seeing attackers attempting to inject random files, all of which appear to begin with the word “hard” or “x”.  From our firewall attack data, it appears that attackers may be probing for the vulnerability with empty files and if successful, may attempt to inject a malicious file.

Here is a list of some of the files we are seeing uploaded:

hardfork.php
hardfind.php
x.php

 

Please look for these files in the /wp-content/plugins/wp-file-manager/lib/files directory of your site.  We’ve also noted a number of the same IP addresses launching the attacks – so blacklist these now to reduce the risk…

188.165.217.134
192.95.30.59
192.95.30.137
198.27.81.188
46.105.100.82
91.121.183.9
185.81.157.132
185.222.57.183
185.81.157.236
185.81.157.112
94.23.210.200

 

What’s the recommendation for File Manager?

There are two options here – update or remove.  If you find that your site’s functionality requires consistent usage of the plugin, ensure it is updated to at least version 6.9, which patched this vulnerability.

If you are not actively using the plugin, uninstall it completely.  Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used.  This is the same advice we give with all plugins.

 

Need more help?

If you need more help – contact us.  Remember, if you are hosted with us already you’re protected.  If you want to move to us, talk to us today.