Re: Wordpress Plugin: FTP To Zip 1.8

[Abhishek Ghosh <dr.abhishek_ghosh () hotmail com>]

Hello,

I am the developer of the Plugin. The plugin's intended function is to create zip without any password prompt which OP 
in this public mail thinking as flaw!

The person's report is baseless and proves the fact that he/she has not read the README file - 
http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/readme.txt 
<http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/readme.txt>  Even if a new user installs the plugin WITHOUT 
reading the long description, the script of the plugin even if ran by a just an ordinary person, it will only zip the 
wp-content directory. wp-content directory holds only themes, plugins and uploads. wp-content directory is NOT intended 
for keeping personal data or sensitive data related to WordPress installation (with default settings). WordPress 
configuration file holding the database details resides one level up from wp-content directory. Usage direction is 
written in "Installation" part, which the person who created this public mail has not read. It is clearly written in 
the readme file :


This Plugin is intended for the advanced users - either block the downloadable zip file via .htaccess or take an 
alternative measure.


In shared hosting environments, aPaaS and PaaS, in case of hack on an installation get hacked and ways are not great 
even to login and there is no compression option is offered by the host; the user will have the capability to take a 
faster file level backup of the whole FTP content and wget it from different provider. The description clearly says the 
intention :


FTP to Zip takes browser based FTP backup of WordPress plus other folders.


It is not for keeping unsecured, it is clearly written :


This Plugin is intended for the advanced users - either block the downloadable zip file via .htaccess or take an 
alternative measure.


The person has not manually checked the code :

http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/backup.php 
<http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/backup.php>

http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/run.php 
<http://plugins.svn.wordpress.org/ftp-to-zip/tags/1.8/run.php>


These are normal PHP functions. There absolutely no security issue in the code themselves.
It holds true for all the WordPress Plugins - if there is any major flaw, reporting to WordPress dot ORG or personally 
contacting the plugin developer is always better.

Most importantly, if I discover a real security flaw, the first work is to preserve the secrecy still the bug is fixed. 
None of us open a public mail and describe the flaw. If it was a genuine security risk - the users would be targeted by 
some script kiddies.

In the same way, HyperDB needs manual installation, this is not for the ordinary users : 
https://wordpress.org/plugins/hyperdb/ <https://wordpress.org/plugins/hyperdb/>

wget —ing WordPress tar ball, uncompressing it also dangerous in one sense. Quite practical fact - if the server admin 
wget WordPress here http://www.openwall.com/Owl/ <http://www.openwall.com/Owl/> and left it for public, I can run the 
installer file with a database on HP Cloud!  Without prior contacting anyone shouting "Open CVE" can prove to be fatal 
for your freelancing. WordPress offers an official support forum for each plugin - 
https://wordpress.org/support/plugin/ftp-to-zip <https://wordpress.org/support/plugin/ftp-to-zip>


Without stepwise prior works, OP's opening a public mail is appearing like as if WordPress Plugin curators are 
careless. Which is quite pathetic and not true.

If "automatic control" was required, I could put the PHP snippet inside any one these example wordpress plugin 
https://github.com/Abhishek-Ghosh/Basic-WordPress-Plugin-Frameworks 
<https://github.com/Abhishek-Ghosh/Basic-WordPress-Plugin-Frameworks> - what would demand login to WordPress to execute 
the script. For that work, there are many plugins.

Even if someone keeps the plugin like OP without understanding, actually the outsider will never know the credentials 
related to WordPress. From WordPress, if serious security flaw is present, official email is sent. In extreme, they are 
removed. You are welcome to WordPress development, but kindly do not insult the core WordPress developers who are 
maintaining the plugin repository via another Free Software project. For Free Software projects we do not need to use a 
Third Party Free Software project for reporting bug. At least read the lines :


The Plugin is fail proof and is powerful, but usage must be judicial.



Regards,

Dr. Abhishek Ghosh; M.S., PhD (PDT)

Contact website - https://thecustomizewindows.com/ <https://thecustomizewindows.com/>

[ further public mails will not be answered ]


> On 21-Jun-2015, at 5:20 pm, 0pc0deFR <0pc0defr () gmail com> wrote:
>
> Hello,
>
> The FTP To Zip 1.8 wordpress plugin is vulnerable to unauthenticated execution. With vulnerability, you can create a 
> zip archive for Wordpress install and you can download this archive 
> (http://domain.tld/wp-content/plugins/ftp-to-zip/backup.php 
> <http://domain.tld/wp-content/plugins/ftp-to-zip/backup.php>).
> A need CVE please.
>
> Download plugin: https://downloads.wordpress.org/plugin/ftp-to-zip.1.8.zip
>  <https://downloads.wordpress.org/plugin/ftp-to-zip.1.8.zip>
> --
> Cordialement,
>
> Kévin FALCOZ alias 0pc0deFR - Consultant Expert WordPress - http://wordpress-expertise.fr 
> <http://wordpress-expertise.fr/>
>
> --
> Regards,
>
> Kévin FALCOZ aka 0pc0deFR - WordPress Expert Consultant - http://wordpress-expertise.fr 
> <http://wordpress-expertise.fr/>

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail