WordPress Backup Plugin 2.0.1 - Information Disclosure

ID EDB-ID:19524
Type exploitdb
Reporter Stephan Knauss
Modified 2012-07-02T00:00:00


WordPress Backup Plugin 2.0.1 - Information Disclosure. Webapps exploit for php platform

                                            # Exploit Title: WordPress Backup plugin exposes site data
# Google Dork: http://www.google.com/search?q=inurl:wp-content/backup.log*
# Date: 01-jul-2012
# Exploit Author: Stephan Knauss
# Vendor Homepage: http://wordpress.org/extend/plugins/backup/
# Software Link: http://downloads.wordpress.org/plugin/backup.2.0.1.zip
# Version: 2.0.1

About Plugin:
Backup is a plugin that provides backup capabilities for WordPress. Backups are zip archives created locally and uploaded to a folder of your choosing on Google Drive.

The default configuration exposes a logfile with filenames of the actual backups. The backup files are available for download once the name is extracted from this logfile. 

Depending on the settings this gives access to a copy of the WordPress database, wp-content, uploads, plugins or complete site.

Local folder path setting should be set to a value that can not be guessed by default. Until a fix is available it is up to the user of the plugin to configure it accordingly.

Detection and Google Dork:
Blog is vulnerable if http://www.example.com/wp-content/backup/backup.log exists.
Usually the logfile is not indexed. Still possibe to match in rare occasions:
or trace back vulnerable blogs from logfiles being posted

Plugin is downloaded 15.000 times, with a download rate of currently 400 downloads a day.