XCloner - Backup and Restore <= 3.1.4 - Authenticated Path Traversal

Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.4, but may have been introduced in earlier versions. Attackers can leverage directory listings to leak otherwise secret filepaths to previous backups, allowing them to acquire full backup contents, since the backup download is not authenticated.
Proof of Concept
Log in as a regular, unprivileged user (subscriber):

1. Visit http://wordpress/wp-admin/admin-ajax.php?action=files_xml.
   This is a XML file-listing of the root Wordpress installation, and its
2. Add a `dir` GET argument to the URL to browse to a specific directory. 
   The length of this path has to be longer than the length of the `backup_path`
   configuration variable on the server, but this is bypassable by adding
   leading slashes to your path. ie: /foo/bar → /////////foo/bar, or until the
   length of your path exceeds the configuration one, using trial and error.
   In this case, we want to leak previous backups, so navigate to
3. Backups will be enumerated here, you can then browse to their location
   Depending on previous steps, the URL would be something like this:

Affects Plugin

fixed in version 3.1.5


URL https://gist.github.com/ldionmarcil/b223bb39694019d6f35a601ed7f841bf
URL https://plugins.trac.wordpress.org/changeset/1565339/xcloner-backup-and-restore




Submitter ldionmarcil
Submitter Website https://keybase.io/ldionmarcil
Submitter Twitter ldionmarcil
Views 2631
Verified No


Publicly Published 2016-12-31 (over 2 years ago)
Added 2017-01-03 (over 2 years ago)
Last Updated 2017-01-03 (over 2 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.