Date: Tue, 16 Dec 2014 12:20:43 -0500 From: "Larry W. Cashdollar" <larry0@...com> To: oss-security@...ts.openwall.com Cc: plugins@...dpress.org, moderators@...db.org, wpscanteam@...il.com Subject: Re: CVE-2014-9119: DB Backup plugin for WordPress download.php file Parameter Remote Path Traversal File Access When going to this plugin page (https://wordpress.org/plugins/db-backup/) I get : Whoops! We couldn't find that plugin. Maybe you were looking for one of these? > On Dec 16, 2014, at 11:51 AM, Henri Salo <henri@...v.fi> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Product: WordPress plugin db-backup > Plugin page: https://wordpress.org/plugins/db-backup/ > Developer: Syed Amir Hussain "syedamirhussain91" > Vulnerability Type: Remote Path Traversal File Access > CWE-23: Relative Path Traversal > Vulnerable Versions: 4.5 and earlier > Fixed Version: N/A > Vendor Notification: 2014-11-27 > Public Disclosure: 2014-12-16 > CVE Reference: CVE-2014-9119 > Criticality: High > > Vulnerability details: > > DB Backup plugin for WordPress contains a flaw that allows traversing outside of > a restricted path. The issue is due to the download.php script not properly > sanitizing user input, specifically path traversal style attacks (e.g. '../'). > With a specially crafted request, a remote attacker can gain read access to > arbitrary files, limited by system operational access control. This > vulnerability can be used to get WordPress authentication keys and salts, > database address and credentials, which can be used in certain environments to > elevate privileges and execute malicious PHP code. > > Root cause: > > Unsanitized user input to readfile() function. > > Proof-of-concept: > > /wp-content/plugins/db-backup/download.php?file=../../../wp-config.php > > Timeline: > > 2014-11-27: Reported to developer and WordPress plugins team. > 2014-11-27: CVE assigned and reported to developer. > 2014-11-28: Communication with developer and he said this will be fixed. > 2014-12-02: Asked status from developer. > 2014-12-03: Developer says this will be fixed by 7th. > 2014-12-07: Asked status from developer. > 2014-12-08: Developer responds. > 2014-12-09: Asked more details from developer. > 2014-12-10: More discussion about the solution and new disclosure date set. > 2014-12-16: Agreed disclosure date was 15th, I don't understand issue with > patching so public disclosure. Please note that there are hundreds of backup > plugins in WordPress Plugin Directory. > > Notes: > > - - Remove plugin "db-backup" as deactivation does not fix the issue. > - - Use another plugin until patch is available and new version is published. > - - Sites I know using this plugin will be notified via abuse emails today. > > References: > http://cwe.mitre.org/data/definitions/23.html > https://scapsync.com/cwe/CWE-23 > https://www.owasp.org/index.php/Path_Traversal > https://www.owasp.org/index.php/Testing_for_Path_Traversal_%28OTG-AUTHZ-001%29 > > - -- > Henri Salo > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iEYEARECAAYFAlSQYwcACgkQXf6hBi6kbk8uHwCeJfQd1Vjc2Rr6kzyFxF8rC4NW > zbMAoKG4tidQkLM5qrnyIfHTVZPXbOdk > =5Nmf > -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.