04-12-2014 / Vulnerabilities

WP Backitup 1.9 Privilege Escalation

Regular user (created using wp-login.php?action=register) can run backup functionality:

File: wp-backitup\lib\includes\class-wpbackitup-admin.php

add_action('wp_ajax_wp-backitup_backup', array( &$this, 'ajax_backup' ));
add_action('wp_ajax_wp-backitup_backup_status_reader', array( &$this,'ajax_get_backup_status'));

Proof of Concept

http://wordpress-instalation/wp-admin/admin-ajax.php?action=wp-backitup_backup

After that you can start scheduled backup (you must use this link few times because backup has few steps):

http://wordpress-instalation/wp-admin/admin-ajax.php?action=wp-backitup_backup_status_reader

You can download backup using Disclosure of Potentially Sensitive Information

Timeline

20-10-2014: Discovered
15-11-2014: Vendor notified
18-11-2014: Version 1.9.1 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ