XCloner – Backup and Restore < 3.1.5 – Authenticated Path Traversal

Description

Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.4, but may have been introduced in earlier versions. Attackers can leverage directory listings to leak otherwise secret filepaths to previous backups, allowing them to acquire full backup contents, since the backup download is not authenticated.

Proof of Concept

Log in as a regular, unprivileged user (subscriber):

1. Visit http://wordpress/wp-admin/admin-ajax.php?action=files_xml.
   This is a XML file-listing of the root Wordpress installation, and its
   fullpath.
2. Add a `dir` GET argument to the URL to browse to a specific directory. 
   The length of this path has to be longer than the length of the `backup_path`
   configuration variable on the server, but this is bypassable by adding
   leading slashes to your path. ie: /foo/bar → /////////foo/bar, or until the
   length of your path exceeds the configuration one, using trial and error.
   In this case, we want to leak previous backups, so navigate to
   http://wordpress/wp-admin/admin-ajax.php?action=files_xml&dir=///////var/www/html/administrator/backups
3. Backups will be enumerated here, you can then browse to their location
   Depending on previous steps, the URL would be something like this:
   http://wordpress/administrator/backups/{BACKUP_FILENAME}