oss-sec mailing list archives
Re: CVE-2014-9119: DB Backup plugin for WordPress download.php file Parameter Remote Path Traversal File Access
From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Tue, 16 Dec 2014 18:26:42 +0100
I suspect WordPress have removed it from their online database until there is a patch available. We've seen them do this quite often. Google has a cache of the page from yesterday: 15 Dec 2014 05:11:28 GMT. On Tue, Dec 16, 2014 at 6:20 PM, Larry W. Cashdollar <larry0 () me com> wrote:
When going to this plugin page (https://wordpress.org/plugins/db-backup/) I get : Whoops! We couldn't find that plugin. Maybe you were looking for one of these?On Dec 16, 2014, at 11:51 AM, Henri Salo <henri () nerv fi> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Product: WordPress plugin db-backup Plugin page: https://wordpress.org/plugins/db-backup/ Developer: Syed Amir Hussain "syedamirhussain91" Vulnerability Type: Remote Path Traversal File Access CWE-23: Relative Path Traversal Vulnerable Versions: 4.5 and earlier Fixed Version: N/A Vendor Notification: 2014-11-27 Public Disclosure: 2014-12-16 CVE Reference: CVE-2014-9119 Criticality: High Vulnerability details: DB Backup plugin for WordPress contains a flaw that allows traversingoutside ofa restricted path. The issue is due to the download.php script notproperlysanitizing user input, specifically path traversal style attacks (e.g.'../').With a specially crafted request, a remote attacker can gain read accesstoarbitrary files, limited by system operational access control. This vulnerability can be used to get WordPress authentication keys and salts, database address and credentials, which can be used in certainenvironments toelevate privileges and execute malicious PHP code. Root cause: Unsanitized user input to readfile() function. Proof-of-concept: /wp-content/plugins/db-backup/download.php?file=../../../wp-config.php Timeline: 2014-11-27: Reported to developer and WordPress plugins team. 2014-11-27: CVE assigned and reported to developer. 2014-11-28: Communication with developer and he said this will be fixed. 2014-12-02: Asked status from developer. 2014-12-03: Developer says this will be fixed by 7th. 2014-12-07: Asked status from developer. 2014-12-08: Developer responds. 2014-12-09: Asked more details from developer. 2014-12-10: More discussion about the solution and new disclosure dateset.2014-12-16: Agreed disclosure date was 15th, I don't understand issuewithpatching so public disclosure. Please note that there are hundreds ofbackupplugins in WordPress Plugin Directory. Notes: - - Remove plugin "db-backup" as deactivation does not fix the issue. - - Use another plugin until patch is available and new version ispublished.- - Sites I know using this plugin will be notified via abuse emailstoday.References: http://cwe.mitre.org/data/definitions/23.html https://scapsync.com/cwe/CWE-23 https://www.owasp.org/index.php/Path_Traversalhttps://www.owasp.org/index.php/Testing_for_Path_Traversal_%28OTG-AUTHZ-001%29- -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlSQYwcACgkQXf6hBi6kbk8uHwCeJfQd1Vjc2Rr6kzyFxF8rC4NW zbMAoKG4tidQkLM5qrnyIfHTVZPXbOdk =5Nmf -----END PGP SIGNATURE-----
Current thread:
- CVE-2014-9119: DB Backup plugin for WordPress download.php file Parameter Remote Path Traversal File Access Henri Salo (Dec 16)
- Re: CVE-2014-9119: DB Backup plugin for WordPress download.php file Parameter Remote Path Traversal File Access Ryan Dewhurst (Dec 16)
- Re: CVE-2014-9119: DB Backup plugin for WordPress download.php file Parameter Remote Path Traversal File Access Larry W. Cashdollar (Dec 16)
- Re: CVE-2014-9119: DB Backup plugin for WordPress download.php file Parameter Remote Path Traversal File Access Henri Salo (Dec 16)
- Re: CVE-2014-9119: DB Backup plugin for WordPress download.php file Parameter Remote Path Traversal File Access Ryan Dewhurst (Dec 16)