Home » Backup Guard < 1.0.3 Logged in users can upload arbitrary files

Backup Guard < 1.0.3 Logged in users can upload arbitrary files

Backup Guard is one of many WordPress plugins to designed to backup your site. The free version on wordpress.org claims to have 20,000+ active installs, there is no indication of how many installs the non-free version has. After disclosing this information the developer sent me a copy of the paid version, but I have not had time to investigate that code.

As of today, the included ChangeLog still does not have any release notes related to this version and I have not seen any announcements of any security issues.

I noticed several issues related to their handling of AJAX requests. One of them allowed a non-authenticated user to trigger a manual backup. Though by default it uses .htaccess to keep anyone from accessing the backup files directly. With the paid version it might have been possible to pass in a remote location to backup the file to, but I did not have the code available when I did my initial analysis to determine if that was possible.

The other AJAX commands required a valid WordPress account (not just admin), none of the commands did any further authorization so a normal user could do any of the actions. There are lots of actions to choose from, the most interesting to me was ‘backup_guard_importBackup’.

Upload arbitrary files

Through the ‘backup_guard_importBackup’ command any logged in user is able to upload a specially crafted backup file that can write to any location on the system (assuming appropriate file permissions). In my test, I was able to upload an arbitrary file containing php code and then execute it remotely.

backupguard_import_backup_ajaxbackupguard_import_backupThe code is split up for simplicity, but here is the code that makes it all possible.

backupguard_import_backup_php

I’m not going to include the SGBackup::upload() function and everything else it calls, but it essentially will extract a properly formatted file and extract it. Fortunately, they use a non-standard file format so someone has to jump through some hoops to create the file.

Timeline

  • 1/14/2016 Requested contact information
  • 1/15/2016 Received contact information and disclosure sent
  • 1/17/2016 Response received saying they are working on a fix
  • 2/12/2016 Fixed version released