UpdraftPlus Backup and Restoration [Insuficient Directory Access Protection]
Description
Plugin UpdraftPlus Backup and Restoration allows users to easily backup
their sites with just a few clicks. Backups can be consist of DB dumps,
upload dir etc. All backup files along with generation logs are store in
the directory wp-content/updraft
. Plugin also creates in this dir two
files in order to protect it from web access, an .htaccess
and
an web.config
file. These two files are used by Apache and servers
running ASP.NET, leaving the back up dir to specific server setups (like
when in Apache AllowOverride is off, or in NGINX servers).
PoC
The code that is reponsible for creating the aforementioned files:
File: updraftplus/class-updraftplus.php
:
if((!is_dir($updraft_dir) || !is_file($updraft_dir.'/index.html') || !is_file($updraft_dir.'/.htaccess')) && !is_file($updraft_dir.'/index.php') || !is_file($updraft_dir.'/web.config')) {
@mkdir($updraft_dir, 0775, true);
@file_put_contents($updraft_dir.'/index.html',"<html><body><a href=\"https://updraftplus.com\">WordPress backups by UpdraftPlus</a></body></html>");
if (!is_file($updraft_dir.'/.htaccess')) @file_put_contents($updraft_dir.'/.htaccess','deny from all');
if (!is_file($updraft_dir.'/web.config')) @file_put_contents($updraft_dir.'/web.config', "<configuration>\n<system.webServer>\n<authorization>\n<deny users=\"*\" />\n</authorization>\n</system.webServer>\n</configuration>\n");
}
Take a backup in NGINX server and access the directory wp-content/updraft
with your browser.
Google dork: inurl:wp-content/updraft
- 28 April 2016
- Tim Cantrell, Pan Vag
- updraftplus.com
- UpdraftPlus Backup and Restoration
- 1.12.6
- WordPress 4.5
- DWF-2016-87033