Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20141216165119.GA31409@kludge.henri.nerv.fi>
Date: Tue, 16 Dec 2014 18:51:19 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: plugins@...dpress.org, moderators@...db.org, wpscanteam@...il.com
Subject: CVE-2014-9119: DB Backup plugin for WordPress download.php file
 Parameter Remote Path Traversal File Access

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: WordPress plugin db-backup
Plugin page: https://wordpress.org/plugins/db-backup/
Developer: Syed Amir Hussain "syedamirhussain91"
Vulnerability Type: Remote Path Traversal File Access
CWE-23: Relative Path Traversal
Vulnerable Versions: 4.5 and earlier
Fixed Version: N/A
Vendor Notification: 2014-11-27
Public Disclosure: 2014-12-16
CVE Reference: CVE-2014-9119
Criticality: High

Vulnerability details:

DB Backup plugin for WordPress contains a flaw that allows traversing outside of
a restricted path. The issue is due to the download.php script not properly
sanitizing user input, specifically path traversal style attacks (e.g. '../').
With a specially crafted request, a remote attacker can gain read access to
arbitrary files, limited by system operational access control. This
vulnerability can be used to get WordPress authentication keys and salts,
database address and credentials, which can be used in certain environments to
elevate privileges and execute malicious PHP code.

Root cause:

Unsanitized user input to readfile() function.

Proof-of-concept:

/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php

Timeline:

2014-11-27: Reported to developer and WordPress plugins team.
2014-11-27: CVE assigned and reported to developer.
2014-11-28: Communication with developer and he said this will be fixed.
2014-12-02: Asked status from developer.
2014-12-03: Developer says this will be fixed by 7th.
2014-12-07: Asked status from developer.
2014-12-08: Developer responds.
2014-12-09: Asked more details from developer.
2014-12-10: More discussion about the solution and new disclosure date set.
2014-12-16: Agreed disclosure date was 15th, I don't understand issue with
patching so public disclosure. Please note that there are hundreds of backup
plugins in WordPress Plugin Directory.

Notes:

- - Remove plugin "db-backup" as deactivation does not fix the issue.
- - Use another plugin until patch is available and new version is published.
- - Sites I know using this plugin will be notified via abuse emails today.

References:
http://cwe.mitre.org/data/definitions/23.html
https://scapsync.com/cwe/CWE-23
https://www.owasp.org/index.php/Path_Traversal
https://www.owasp.org/index.php/Testing_for_Path_Traversal_%28OTG-AUTHZ-001%29

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlSQYwcACgkQXf6hBi6kbk8uHwCeJfQd1Vjc2Rr6kzyFxF8rC4NW
zbMAoKG4tidQkLM5qrnyIfHTVZPXbOdk
=5Nmf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.