Just a quick one…. I noticed in my webserver logs, a whole bunch of directory walk “script kiddie” exploit attempts to various wordpress sites on my server, attempting to retrieve my wordpress configuration file: wp-config.php
.
A directory walk attack is where someone will attempt to use a download feature of some plugin or other in attempt to trick it to retrieve a different file, by passing ../
before the file name. E.g.
GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
None of these exploits was successful, since this is an obvious approach which should be sanitised out of inputs, but part of having a secure system is the concept of strength in depth and every programmer makes mistakes.
So, I knocked together a quick modsecurity rule:
SecRule ARGS "(\.\.\/)+wp-config.php"\ "phase:1,log,deny,status:503,msg:'Attempt to download wp-config.php via the GET line'"
Which seems to shut this one exploit down. HTH 🙂
RT @mapkyca: Blocking access to wp-config.php with modsecurity marcus-povey.co.uk/2015/06/25/blo…
likes this.