Threat Intelligence Report – Information Disclosure: Giribaz

The Giribaz File Manager Plugin for WordPress 5.0.1 and earlier, which according to its website is trusted and used by 30,000+ Websites and has been downloaded over 188,000 times, has come onto Alert Logic’s Threat Intelligence team’s radar with active exploitation attempts in customer environments. 

This vulnerability can be exploited remotely via a web browser and requires no authentication. Continue reading to learn more about this threat and how it may impact you.

The plugin provides extended file management via a GUI for WordPress which allows administrators to modify files as you would on a local machine, via the web browser. It even allows for ‘shortcode’ to be used to modify the website itself without going through the usual administation. When ‘verbose logging’ is enabled, the plugin helpfully dumps the contents of the file it is performing an action on into the log file which is then available to read.

While we understand that this functionality may be useful during development, it opens up significant attack risk. Specifically, in the context of modifying the website files we can understand that the plugin developer might require the file contents to be logged before and after a change. This may be useful for troubleshooting but for users this seems unnecessary. Better to write a backup file to the same location as the file or a configurable location.

This vulnerability highlights the responsibility for users of third party modules to pay due care and attention to the access rights of the web server and it’s contents and patch immediately.

Figure 1- Threat Summary

  1. The server returns the contents of the log - The location in which the Giribaz file manager log is stored is publicly accessible allowing unauthenticated, remote users to request the file directly.
  2. The WordPress server will simply send the entire contents of the log file as a response to requests, as it would with any other text file.

The attack can be exploited to extract sensitive information from the target, which could include configuration information such as database info, passwords, and salt values. The verbose logging and public accessibility of the log result in the potential for sensitive Information Disclosure.

Hosts and users who are utilising this software are strongly encouraged to update their plugin version to the latest available – as attackers are actively and successfully utilising this vector to gather information on potential victims. This can then be used for more in depth attacks at a later date.