Lucene search
+L

BackWPup WordPress Plugin 1.4.0 File Content Disclosure

🗓️ 28 Feb 2011 00:00:00Reported by Danilo MassaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 21 Views

BackWPup 1.4.0 File Content Disclosure, high severity, allows unauthenticated remote access to sensitive files like /etc/passwd via unfiltered parameter in BackWPup plugin php pages

Code
`=============================================  
- Release date: Feb 28th, 2010  
- Discovered by: Danilo Massa  
- Severity: High  
=============================================  
  
I. VULNERABILITY  
-------------------------  
BackWPup Wordpress plugin <= 1.4.0 File content disclosure  
  
II. BACKGROUND  
-------------------------  
BackWPup 1.4.0 is a full-featured backup management solution for Wordpress.   
The plugin provide:  
- Database Backup  
- WordPress XML Export  
- Optimize Database  
- Check\Repair Database  
- File Backup  
- Backups in zip,tar,tar.gz,tar.bz2 format  
- Store backup to Folder  
- Store backup to FTP Server  
- Store backup to Amazon S3  
- Store backup to RackSpaceCloud  
- Store backup to DropBox  
- Send Log/Backup by eMail  
  
III. INTRODUCTION  
-------------------------  
BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered   
parameter inside   
  
two php pages that let a remote user to access sensitive files like /etc/passwd.  
No authentication required. No plugin activation required.  
  
IV. DESCRIPTION  
-------------------------  
Input passed via the "wpabs" parameter to the php pages  
- wp-content/plugins/backwpup/app/options-view_log-iframe.php  
- wp-content/plugins/backwpup/app/options-runnow-iframe.php  
is not sanitized before being used.  
  
Both files starts trying to include the wp-load.php file using the wpabs   
parameter that can  
be inject with a direct call to the page.  
  
options-view_log-iframe.php:  
<?PHP  
if (file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile']))   
{  
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */  
...  
options-runnow-iframe.php:  
if (file_exists($_GET['wpabs'].'wp-load.php') and   
is_numeric(trim($_GET['jobid']))) {  
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */  
...  
  
inserting a string terminator %00 inside the wpabs parameter is possible to   
specify a file  
name instead of a directory and let it being included in the web page.  
NOTE: also the   
  
V. PROOF OF CONCEPT  
-------------------------  
Below is a harmless test that can be executed on a Unix machine that hosts   
wordpress with the  
vulnerable plugin.  
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1  
  
  
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd  
  
Both of them will display the /etc/passwd file.  
  
VI. BUSINESS IMPACT  
-------------------------  
An attacker could exploit the vulnerability to retrieve virtually any text file   
accessible by the wep application server user.  
  
VII. SYSTEMS AFFECTED  
-------------------------  
Version 1.4.0 is vulnerable.  
Versions <1.4.0 could be vulnerable.  
  
VIII. SOLUTION  
-------------------------  
Upgrade to a patched release or as quick workaround enclose   
any $_GET['wpabs'] in a trim call like this:  
if (file_exists(trim($_GET['wpabs']).'wp-load.php') and   
file_exists($_GET['logfile'])) {  
  
IX. REFERENCES  
-------------------------  
http://wordpress.org/extend/plugins/backwpup/  
http://danielhuesken.de/portfolio/backwpup/  
  
X. CREDITS  
-------------------------  
The vulnerability has been discovered by Danilo Massa  
danilo(under_score)m(at)yahoo(dot)com  
  
XI. VULNERABILITY HISTORY  
-------------------------  
January 28th, 2011: Vulnerability identification  
January 30th, 2011: Vendor notification  
January 30th, 2011: Vendor release an updated version (1.4.1)  
February 28th, 2011: Vulnerability disclosure  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this   
information.  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation