WP Backitup 1.9 Disclosure of Potentially Sensitive Information

Homepage:

https://wordpress.org/plugins/wp-backitup

CVE-ID

CVE-2014-9012

CVSS Score

5

CVSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description:

Link to created backup file is saved in log.

File: wp-backitup\lib\includes\job_backup.php

function write_response_file_success() {
    global $WPBackitup,$wp_backup,$logger;

    $jsonResponse = new stdClass();
	$jsonResponse->backupStatus = 'success';
    $jsonResponse->backupMessage = 'success';
    $jsonResponse->backupFile = $wp_backup->backup_filename;
    $jsonResponse->backupZipLink = WPBACKITUP__BACKUP_URL . '/' . $wp_backup->backup_filename;
    $jsonResponse->backupLicense = $WPBackitup->license_active();
    $jsonResponse->backupRetained = $wp_backup->backup_retained_number;

    if (file_exists($logger->logFilePath)) {
        $jsonResponse->backupLogLink = basename($logger->logFileName,'.log');
    }

	write_response_file($jsonResponse);
}

//write Response Log
function write_response_file($JSON_Response) {
	global $logger;

	$json_response = json_encode($JSON_Response);
	$logger->log('Write response file:' . $json_response);

	$fh=get_response_file();
	fwrite($fh, $json_response);
	fclose($fh);
}

//Get Response Log
function get_response_file() {
    global $logger;
    $response_file_path = WPBACKITUP__PLUGIN_PATH .'logs/backup_response.log';
    $filesytem = new WPBackItUp_FileSystem($logger);
    return $filesytem->get_file_handle($response_file_path,false);
}

Proof of Concept:

You can browse and download backup files because directory listing is not disabled:

http://wordpress-instalation/wp-content/wpbackitup_backups/

You can also check backup name using log file:

http://wordpress-instalation/wp-content/plugins/wp-backitup/logs/backup_response.log

Timeline: