#################### # Meta information # #################### # Exploit Title: Wordpress plugin simple-backup - Multiple vulnerabilities # Date: 2016-06-02 # Exploit Author: PizzaHatHacker [A] gmail [.] com # Vendor Homepage: [DEAD LINK] https://wordpress.org/plugins/simple-backup/ # Software Link: [DEAD LINK] https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip # Version: 2.7.11 # Tested on: simple-backup 2.7.11 & Wordpress 4.4.2 # # History : # 2016-02-21 Contact requested on the vendor website via "Contact Us" # 2016-02-24 Contact requested on the vendor website via "Support" # 2016-03-09 Email to plugins@wordpress.org # 2016-03-10 Acknowledged by Wordpress team # 2016-06-02 No information, no response, vulnerabilities not fixed, # disclosure of this document. # ################################## ### 1. Arbitrary File Deletion ### ################################## It is possible to remotely delete arbitrary files on the webserver on wordpress blogs that have simple-backup plugin installed and enabled. No authentication is required, the default configuration of simple-backup is affected. Example 1 : Delete "pizza.txt" in wordpress root : http://127.0.0.1//wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt Example 2 : Delete .htaccess file protecting the backup folder : http://127.0.0.1//wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting Note : When 'download_backup_file' parameter is provided with an invalid filepath, the PHP script exits prematurely with message "Access Denied!" and so does not regenerate automaticaly the .htaccess file. After this request, it may be possible (depending on the web server configuration) to browse the backup directory and download server backup files at this URL : http://127.0.0.1//simple-backup/ The backup archive files may contain all the wordpress files : configuration files (wp-config.php etc.), PHP source code (plugins, etc.), and a database dump (all tables content, wordpress users passwords etc.). CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSS Base Score : 7.5 Impact Subscore : 6.4 Exploitability Subscore : 10 ######################## ### 2. File Download ### ######################## It is possible to download remote files from the webserver on wordpress blogs that have simple-backup plugin installed and enabled. No authentication is required, the default configuration of simple-backup is affected. Example 1 : Download tools.php source file : http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file= Example 2 : Download a backup file : http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar (If backups are performed automatically at predefined times, it is easy to find the backup file name, as it is based on the current time). Moreover, the checks performed on user-provided 'filename' parameter are insufficient : simple-backup-manager.php:function download_local_backup_file($filename){ $filename = ltrim($filename, ".\/"); * Only logged-in AND authorized users (with permissions to manage backups) should be allowed to download files * The file name should match a backup file and must not be empty * The input is not correctly checked for directory traversal (use PHP 'basename' instead of 'ltrim') For example in the special case where a folder 'oldBackups' is created inside the backup directory, it would be possible to download ANY file on the web server via direct requests to this kind of URLs : http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Base Score : 5 Impact Subscore : 2.9 Exploitability Subscore : 10