Similar issue was discovered by Larry W. Cashdollar in similar time.
_jsonreturn function doesn't check admin privileges.
File: xcloner-backup-and-restore\xcloner.php
add_action( 'wp_ajax_json_return', 'json_return' );
function json_return(){
$_REQUEST['nohtml'] = 1;
include "admin.cloner.php";
die();
} So we can view and download already created backup.
File: xcloner-backup-and-restore\admin.cloner.php
$task = $_REQUEST['task'];
switch ($task) {
case 'view':
showBackups($option);
break;
}function showBackups($option)
{
// ----------------------------------------------------------
// Generate a selectable list of the files in Backup Folder
// ----------------------------------------------------------
global $_CONFIG;
if (!is_dir($_CONFIG['clonerPath'])) {
E_print("Your backup directory " . $_CONFIG['clonerPath'] . " is not correct! Unable to continue...");
return;
}
// initialise list arrays, directories and files separately and array counters for them
$d_arr = array();
$d = 0;
$f_arr = array();
$f = 0;
$s_arr = array();
$s = 0;
// obtain the list of backup archive files
getBackupFiles($d_arr, $f_arr, $s_arr, $d, $f);
// load presentation layer
$html = new HTML_cloner();
$html->showBackups($f_arr, $s_arr, $_CONFIG['clonerPath'], $option);
}Proof of Concept
Register as standard user using wp-login.php?action=register then log in using wp-login.php.
http://wordpress-instalation/wp-admin/admin-ajax.php?action=json_return&task=viewTimeline
- 16-10-2014: Discovered
- 07-11-2014: Vendor notified
- 13-11-2014: Second notification
