Rules to prevent content injection vulnerability in Wordpress 4.7.0 or 4.7.1
49 views
Skip to first unread message
Icaro Torres
Feb 22, 2017, 1:19:33 PM2/22/17
to osse...@googlegroups.com
Hello everybody,
As part of the team iBLISS Labs, I would like to contribute with some rules that can avoid/difficulty the exploitation of content injection vulnerability in Wordpress 4.7.0 or 4.7.1. Below are listed the link with detail and explaination of the vuln, the rules and a log sampler collected from OSSEC that uses this rules:
##
Vulnerability details:
Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).
##
OSSEC Rules:
<group name="web,appsec,attack">
<rule id="160006" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<match>GET</match>
<description>Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
<group name="web,appsec,attack">
<rule id="160007" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<match>POST</match>
<description>Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
<group name="web,appsec,attack">
<rule id="160008" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<regex>/wp-json/wp/v2/posts/+\d?id=\D+</regex>
<description>Content Injection Attack in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
<group name="web,appsec,attack">
<rule id="160009" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<match>Python-urllib</match>
<description>Content Injection Attack in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
##
Log sampler:
** Alert 1487094067.16027193: mail - web,appsec,attack
2017 Feb 14 17:41:07 wap->/var/log/nginx/www.ciespsul.org.br-access.log
Rule: 160006 (level 10) -> 'Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).'
Src IP: 95.211.196.216 / NLD / Noord-Holland
95.211.196.216 - - [14/Feb/2017:15:41:06 -0200] "GET /index.php/wp-json/wp/v2/posts/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
** Alert 1487094069.16027729: mail - web,appsec,attack
2017 Feb 14 17:41:09 wap->/var/log/nginx/www.ciespsul.org.br-access.log
Rule: 160006 (level 10) -> 'Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).'
Src IP: 95.211.196.216 / NLD / Noord-Holland
95.211.196.216 - - [14/Feb/2017:15:41:07 -0200] "GET /wp-json/wp/v2/posts/ HTTP/1.1" 404 17192 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
##
--
As part of the team iBLISS Labs, I would like to contribute with some rules that can avoid/difficulty the exploitation of content injection vulnerability in Wordpress 4.7.0 or 4.7.1. Below are listed the link with detail and explaination of the vuln, the rules and a log sampler collected from OSSEC that uses this rules:
##
Vulnerability details:
Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).
##
OSSEC Rules:
<group name="web,appsec,attack">
<rule id="160006" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<match>GET</match>
<description>Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
<group name="web,appsec,attack">
<rule id="160007" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<match>POST</match>
<description>Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
<group name="web,appsec,attack">
<rule id="160008" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<regex>/wp-json/wp/v2/posts/+\d?id=\D+</regex>
<description>Content Injection Attack in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
<group name="web,appsec,attack">
<rule id="160009" level="10" maxsize="1">
<if_sid>31100,31101,31108</if_sid>
<url>/wp-json/wp/v2/posts/</url>
<match>Python-urllib</match>
<description>Content Injection Attack in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).</description>
</rule>
</group>
##
Log sampler:
** Alert 1487094067.16027193: mail - web,appsec,attack
2017 Feb 14 17:41:07 wap->/var/log/nginx/www.ciespsul.org.br-access.log
Rule: 160006 (level 10) -> 'Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).'
Src IP: 95.211.196.216 / NLD / Noord-Holland
95.211.196.216 - - [14/Feb/2017:15:41:06 -0200] "GET /index.php/wp-json/wp/v2/posts/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
** Alert 1487094069.16027729: mail - web,appsec,attack
2017 Feb 14 17:41:09 wap->/var/log/nginx/www.ciespsul.org.br-access.log
Rule: 160006 (level 10) -> 'Checking for Content Injection Vulnerability in WordPress (https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html).'
Src IP: 95.211.196.216 / NLD / Noord-Holland
95.211.196.216 - - [14/Feb/2017:15:41:07 -0200] "GET /wp-json/wp/v2/posts/ HTTP/1.1" 404 17192 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0" "-"
##
Best regards.
--
 |
| ||||||||||
 | |||||||||||
dan (ddp)
Feb 24, 2017, 12:32:14 PM2/24/17
to ossec-dev
Thanks for the rules. I've submitted a pull request, but Daniel Cid
has some comments that worry me.
I don't run wordpress myself, so I don't know a whole lot about it.
PR: https://github.com/ossec/ossec-hids/pull/1069
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
has some comments that worry me.
I don't run wordpress myself, so I don't know a whole lot about it.
PR: https://github.com/ossec/ossec-hids/pull/1069
> Icaro Torres
> Security Operations Analyst
> p:+55 (11) 3255-3926
> w:www.ibliss.com.br/ e: icaro....@ibliss.com.br
>
>
>
> --
> Security Operations Analyst
> p:+55 (11) 3255-3926
> w:www.ibliss.com.br/ e: icaro....@ibliss.com.br
>
>
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages