Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.4, but may have been introduced in earlier versions. Attackers can leverage directory listings to leak otherwise secret filepaths to previous backups, allowing them to acquire full backup contents, since the backup download is not authenticated.
|Proof of Concept
Log in as a regular, unprivileged user (subscriber):
1. Visit http://wordpress/wp-admin/admin-ajax.php?action=files_xml.
This is a XML file-listing of the root Wordpress installation, and its
2. Add a `dir` GET argument to the URL to browse to a specific directory.
The length of this path has to be longer than the length of the `backup_path`
configuration variable on the server, but this is bypassable by adding
leading slashes to your path. ie: /foo/bar → /////////foo/bar, or until the
length of your path exceeds the configuration one, using trial and error.
In this case, we want to leak previous backups, so navigate to
3. Backups will be enumerated here, you can then browse to their location
Depending on previous steps, the URL would be something like this: