WP Backitup 1.9 Disclosure of Potentially Sensitive Information
Homepage:
https://wordpress.org/plugins/wp-backitup
CVE-ID
CVSS Score
5
CVSS Vector
Description:
Link to created backup file is saved in log.
File: wp-backitup\lib\includes\job_backup.php
function write_response_file_success() {
global $WPBackitup,$wp_backup,$logger;
$jsonResponse = new stdClass();
$jsonResponse->backupStatus = 'success';
$jsonResponse->backupMessage = 'success';
$jsonResponse->backupFile = $wp_backup->backup_filename;
$jsonResponse->backupZipLink = WPBACKITUP__BACKUP_URL . '/' . $wp_backup->backup_filename;
$jsonResponse->backupLicense = $WPBackitup->license_active();
$jsonResponse->backupRetained = $wp_backup->backup_retained_number;
if (file_exists($logger->logFilePath)) {
$jsonResponse->backupLogLink = basename($logger->logFileName,'.log');
}
write_response_file($jsonResponse);
}
//write Response Log
function write_response_file($JSON_Response) {
global $logger;
$json_response = json_encode($JSON_Response);
$logger->log('Write response file:' . $json_response);
$fh=get_response_file();
fwrite($fh, $json_response);
fclose($fh);
}
//Get Response Log
function get_response_file() {
global $logger;
$response_file_path = WPBACKITUP__PLUGIN_PATH .'logs/backup_response.log';
$filesytem = new WPBackItUp_FileSystem($logger);
return $filesytem->get_file_handle($response_file_path,false);
}
Proof of Concept:
You can browse and download backup files because directory listing is not disabled:
http://wordpress-instalation/wp-content/wpbackitup_backups/
You can also check backup name using log file:
http://wordpress-instalation/wp-content/plugins/wp-backitup/logs/backup_response.log
Timeline:
- 20-10-2014: Discovered
- 15-11-2014: Vendor notified
- 18-11-2014: Version 1.9.1 released, issue resolved