XCloner - Backup and Restore <= 3.1.4 - Authenticated Path Traversal

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.4, but may have been introduced in earlier versions. Attackers can leverage directory listings to leak otherwise secret filepaths to previous backups, allowing them to acquire full backup contents, since the backup download is not authenticated.
Proof of Concept
Log in as a regular, unprivileged user (subscriber):

1. Visit http://wordpress/wp-admin/admin-ajax.php?action=files_xml.
   This is a XML file-listing of the root Wordpress installation, and its
   fullpath.
2. Add a `dir` GET argument to the URL to browse to a specific directory. 
   The length of this path has to be longer than the length of the `backup_path`
   configuration variable on the server, but this is bypassable by adding
   leading slashes to your path. ie: /foo/bar → /////////foo/bar, or until the
   length of your path exceeds the configuration one, using trial and error.
   In this case, we want to leak previous backups, so navigate to
   http://wordpress/wp-admin/admin-ajax.php?action=files_xml&dir=///////var/www/html/administrator/backups
3. Backups will be enumerated here, you can then browse to their location
   Depending on previous steps, the URL would be something like this:
   http://wordpress/administrator/backups/{BACKUP_FILENAME}

Affects Plugin

fixed in version 3.1.5

References

URL https://gist.github.com/ldionmarcil/b223bb39694019d6f35a601ed7f841bf
URL https://plugins.trac.wordpress.org/changeset/1565339/xcloner-backup-and-restore

Classification

Type BYPASS

Miscellaneous

Submitter ldionmarcil
Submitter Website https://keybase.io/ldionmarcil
Submitter Twitter ldionmarcil
Views 174
Verified No
WPVDB ID 8707

Timeline

Publicly Published 2016-12-31 (10 months ago)
Added 2017-01-03 (10 months ago)
Last Updated 2017-01-03 (10 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.