JetBackup < 2.0.9.9 – Directory Listing Exposing Backups | CVE 2023-7165 | Plugin Vulnerabilities

Description

The plugin doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.

A partial fix was released in 2.0.9.6, removing the ability to list the directory but still allowing direct access to the files by only guessing the timestamp of the backup.

Proof of Concept

1) Run backup function http://your_site/wordpress/wp-admin/admin.php?page=backup_guard_backups
2) When the scan is over, the attacker must sort through the directory "/wordpress/wp-content/uploads/jetbackup/*", after which there will be a Directory Listing vulnerability in it, which will allow pumping out all backup and all logs. This vulnerability will be available if a person names the file in a simple way.

Affects Plugins

Fixed in 2.0.9.9

References

CVE

URL

https://research.cleantalk.org/cve-2023-7165-jetbackup-poc/

YouTube Video

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

ad1ef4c5-60c1-4729-81dd-f626aa0ce3fe

Timeline

Publicly Published

2023-11-30 (about 5 months ago)

Added

2024-02-02 (about 3 months ago)

Last Updated

2024-02-07 (about 3 months ago)

Other

Published

Title

Published

2021-03-26

Title

AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

Published

2023-09-11

Title

WooCommerce < 7.9.0 - Sensitive Information Exposure

Published

2024-02-26

Title

WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit <= 1.0.9 - Unauthenticated Sensitive Information Exposure

Published

2023-12-04

Title

AppMySite < 3.11.1 - Unauthenticated Information Disclsoure

Published

2023-12-06

Title

WP Staging (Free < 3.1.3, Pro < 5.1.3) - Unauthenticated Backup Download