Block another WordPress vulnerability.

Flameeyes · Jul 2, 2017 · 2f94572 · 2f94572
1 parent cf86c6d
commit 2f94572
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/rules/flameeyes_40_exploits_blacklist.conf b/rules/flameeyes_40_exploits_blacklist.conf
@@ -17,6 +17,13 @@ SecRule REQUEST_URI "@contains /Y-ivrrecording.php" \
 SecRule REQUEST_URI "/timthumb\.php?src=.*(?:picasa|blogger|flickr)\.com\..*" \
         "id:434030,phase:1,msg:'Known vulnerability requested, %{REMOTE_ADDR} blacklisted.',setvar:ip.blacklisted=1,expirevar:ip.blacklisted=%{TX.IP_EXPIRATION}"
 
+# This appears to be yet another WP vulnerability that tries to upload
+# a login file, trying to find the tiny_mce module. Since the
+# parameter "type=file/wp-login.php" would not appear to ever be a
+# valid type, just block all of them.
+SecRule QUERY_STRING "@contains type=file/wp-login.php"
+	"id:434031,phase:1,t:lowercase,msg:'Known vulnerability requested, blacklisting IP.',setvar:ip.blacklisted=1,expirevar:ip.blacklisted=%{TX.IP_EXPIRATION},logdata:'%{REMOTE_ADDR}'"
+
 SecRule REQUEST_URI "@beginsWith /vtigercrm" \
 	"id:434040,phase:1,msg:'Known vulnerability requested, %{REMOTE_ADDR} blacklisted.',setvar:ip.blacklisted=1,expirevar:ip.blacklisted=%{TX.IP_EXPIRATION}"