UpdraftPlus Backup and Restoration [Insuficient Directory Access Protection]

Description

Plugin UpdraftPlus Backup and Restoration allows users to easily backup their sites with just a few clicks. Backups can be consist of DB dumps, upload dir etc. All backup files along with generation logs are store in the directory wp-content/updraft. Plugin also creates in this dir two files in order to protect it from web access, an .htaccess and an web.config file. These two files are used by Apache and servers running ASP.NET, leaving the back up dir to specific server setups (like when in Apache AllowOverride is off, or in NGINX servers).

PoC

The code that is reponsible for creating the aforementioned files:

File: updraftplus/class-updraftplus.php:

if((!is_dir($updraft_dir) || !is_file($updraft_dir.'/index.html') || !is_file($updraft_dir.'/.htaccess')) && !is_file($updraft_dir.'/index.php') || !is_file($updraft_dir.'/web.config')) {
    @mkdir($updraft_dir, 0775, true);
    @file_put_contents($updraft_dir.'/index.html',"<html><body><a href=\"https://updraftplus.com\">WordPress backups by UpdraftPlus</a></body></html>");
    if (!is_file($updraft_dir.'/.htaccess')) @file_put_contents($updraft_dir.'/.htaccess','deny from all');
    if (!is_file($updraft_dir.'/web.config')) @file_put_contents($updraft_dir.'/web.config', "<configuration>\n<system.webServer>\n<authorization>\n<deny users=\"*\" />\n</authorization>\n</system.webServer>\n</configuration>\n");
}

Take a backup in NGINX server and access the directory wp-content/updraft with your browser.

Google dork: inurl:wp-content/updraft


INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX