Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress XCloner 3.1.5 Denial Of Service / Code Execution

🗓️ 09 Nov 2016 00:00:00Reported by Felipe MolinaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 49 Views

XCloner 3.1.5 Vulnerabilities - DoS / Code Executio

Code
`# Exploit Title: XCloner <= 3.1.5 Multiple Vulnerabilities  
# Google Dork: inurl:"plugins/xcloner-backup-and-restore/readme.txt" -site:wordpress.org  
# Date: 08/11/2016  
# Exploit Author: Felipe Molina (@felmoltor)  
# Vendor Homepage: www.xcloner.com  
# Software Link: https://es.wordpress.org/plugins/xcloner-backup-and-restore/  
# Version: 3.1.5 and lower  
# Tested on: Ubuntu 14 and PHP 5  
# Product description: XCloner is a plugin for wordpress and Joomla! with more than 70.000 active installations to easily execute backup and restores on your CMS.  
  
Authenticated DoS or CMS destruction  
--------------------------------------------------------  
Summary: XClonner does not check the file path is going to unlink  
after unlinking it. Therefore, a deletion of random files on the file  
system accesible by the web process is possible. A destruction of the  
blog can be achieved with the following PoC:  
  
1. Authenticate to wordpress with an administrator  
2. Access to XCloner to the following URL:  
* http://example.com/wp-admin/plugins.php?page=xcloner_show&option=xcloner&task=cron_delete&fconfig=../../../../wp-config.php  
3. See how your wordpress stops working.  
4. In case that the web server is running with higher privileges, a more destructive action would be possible deleting O.S. critical files.  
  
Authenticated RCE  
----------------------------  
Summary:  
XCloner does not filter the command line is being used to execute the  
tar of a backup.  
Random shell commands can be injected in this field.  
A file creation in the file system can be achieved with the following PoC:  
  
1. Authenticate to wordpress with an administrator  
2. Access to Plugins -> XCloner  
3. Navigate to Administration -> Configuration -> General  
4. In "Server Use Options" set the field "Tar path or command" with  
the following value:  
* tar -h; cp /etc/passwd ./passwd.txt ; tar -k  
5. Now go to "Actions -> Generate Backup"  
6. Find the file passwd.txt in the wordpress root folder  
7. Navigate to http://example.com/passwd.txt to see the file /etc/passwd  
8. Looking at the code, the field to specify the mysqldump command  
"Mysqldump path or command" is also injectable, but I have not a PoC  
for it.  
  
--   
  
Felipe Molina de la Torre (@felmoltor)  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Nov 2016 00:00Current
0.4Low risk
Vulners AI Score0.4
xclonervulnerabilitiesdenial of servicecode executionwordpressjoomlabackuprestoreauthenticatedrcefile deletionshell commandssecurity advisory
49