[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (access rights)

To: oss-security@xxxxxxxxxxxxxxxxxx, fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (access rights)
From: Sysdream Labs <labs@xxxxxxxxxxxx>
Date: Thu, 21 Apr 2016 09:12:21 +0100

Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile 
Generation (access rights)
==================================================================================================


Description
===========

A vulnerability has been found in iThemes Security backup function that may 
allow attackers to gain access to backup/log files.


By default, when using the "database backup on filesystem" feature, iThemes 
Security saves the backup files in a world-readable directory :

wp-content/uploads/ithemes-security/backups

The .htaccess file is generated during the plugin initial setup/update, only if 
the wp-content/uploads/ithemes-security/backups exists (or 
wp-content/uploads/ithemes-security/logs). Note that it does *NOT* exists by 
default.

When running a backup, the ITSEC_Backup class creates the directory but 
*without* any .htaccess file inside.
The same thing happens with log saving.

If the webserver has directory listing enabled, then anybody can download the 
complete database backup or view the log files.


**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-219

**CVSS Base Score**: 7.5

---------------
Vulnerable code
---------------

The vulnerable code is located in core/modules/backup/class-itsec-backup.php, 
line 246 :

    if ( ! is_dir( $itsec_globals['ithemes_backup_dir'] ) ) {
        @mkdir( trailingslashit( $itsec_globals['ithemes_dir'] ) . 'backups' );
    }

And in core/class-itsec-logger.php, line 31 :

    //Make sure the logs directory was created
    if ( ! is_dir( $itsec_globals['ithemes_log_dir'] ) ) {
            @mkdir( trailingslashit( $itsec_globals['ithemes_dir'] ) . 'logs' );
    }

The application creates the backup/log directory, but *not* the .htaccess/index 
file inside.

--------
Solution
--------

Add a default index file file inside the backup folder when creating the 
directory or store the backups outside of the web root.

Update iThemes Security to version >= 5.3.1

Timeline (dd/mm/yyyy)
=====================

* 26/02/2016 : Initial contact with iThemes.
* 26/02/2016 : iThemes confirms the vulnerabilities.
* 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that 
fixes the vulnerabilities.

Credits
=======

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)



-- 
SYSDREAM Labs <labs@xxxxxxxxxxxx>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Time-based SQL Injection in Admin panel ImpressCMS <= v1.3.9
Next by Date: [FD] Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatable filename)
Previous by thread: [FD] Time-based SQL Injection in Admin panel ImpressCMS <= v1.3.9
Next by thread: [FD] Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatable filename)
Index(es):
- Date
- Thread