oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2014-3114 WordPress plugin ezpz-one-click-backup cmd parameter os command injection

From: Henri Salo <henri () nerv fi>
Date: Thu, 1 May 2014 12:09:04 +0300
Product: WordPress plugin EZPZ One Click Backup
Vulnerability type: CWE-78 OS Command Injection
Vulnerable versions: 12.03.10 and some earlier versions
Fixed version: N/A
Solution: Remove plugin
Vendor notification: Contact details N/A
WordPress plugins team notification: 2014-04-30
Risk: High
CVE: CVE-2014-3114

Vulnerability Details:

Contains a flaw that is triggered as input passed via the 'cmd' parameter in
ezpz-archive-cmd.php is not properly sanitized. With a specially crafted
request, an unauthenticated remote attacker can execute arbitrary commands
directly on the operating system.

http://plugins.svn.wordpress.org/ezpz-one-click-backup/tags/12.03.10/functions/ezpz-archive-cmd.php

  1 <?php
  2 if (isset($_GET['cmd'])){
  3     exec(urldecode($_GET['cmd']));
  4     tmp_write("<h2>Running zip page...<h2>");
  5 }
  6  
  7 ?>

Steps to reproduce:

http://example.com/wp-content/plugins/ezpz-one-click-backup/functions/ezpz-archive-cmd.php?cmd=uptime

Notes:

Plugin can't be downloaded anymore by using WordPress admin panel or from links
below, but still used by many as per:
inurl:"/wp-content/plugins/ezpz-one-click-backup/"

https://wordpress.org/plugins/ezpz-one-click-backup/
http://downloads.wordpress.org/plugin/ezpz-one-click-backup.latest-stable.zip

From the developer's website 2012-04-27:
"""
Do to recent changes in the Dropbox API, EZPZ One Click Backup can no longer
save files to Dropbox.

I apologize but due to various reasons there will be no new versions released or
further support for EZPZ OCB in the foreseeable future.

For a reliable, inexpensive alternative I recommend trying MyRepono and the
MyRepono Plugin. This service, while not entirely free (the fees are as low as
2ยข a day for a small site), works great on WordPress sites as large as 5GB,
maybe even larger. MyRepono gives a $5.00 credit when signing up for the service
so there is no cost to try it out.

Again, I apologize to all EZPZ One Click Backup users and wish you all the best.
"""

Might be related:
http://wordpress.org/support/topic/plugin-ezpz-one-click-backup-possible-security-flaw

---
Henri Salo

Attachment: signature.asc
Description: Digital signature

Previous By Date Next
Previous By Thread Next

Current thread: