Backup Guard is one of many WordPress plugins to designed to backup your site. The free version on wordpress.org claims to have 20,000+ active installs, there is no indication of how many installs the non-free version has. After disclosing this information the developer sent me a copy of the paid version, but I have not had time to investigate that code.
As of today, the included ChangeLog still does not have any release notes related to this version and I have not seen any announcements of any security issues.
I noticed several issues related to their handling of AJAX requests. One of them allowed a non-authenticated user to trigger a manual backup. Though by default it uses .htaccess to keep anyone from accessing the backup files directly. With the paid version it might have been possible to pass in a remote location to backup the file to, but I did not have the code available when I did my initial analysis to determine if that was possible.
The other AJAX commands required a valid WordPress account (not just admin), none of the commands did any further authorization so a normal user could do any of the actions. There are lots of actions to choose from, the most interesting to me was ‘backup_guard_importBackup’.
Upload arbitrary files
Through the ‘backup_guard_importBackup’ command any logged in user is able to upload a specially crafted backup file that can write to any location on the system (assuming appropriate file permissions). In my test, I was able to upload an arbitrary file containing php code and then execute it remotely.
The code is split up for simplicity, but here is the code that makes it all possible.
I’m not going to include the SGBackup::upload() function and everything else it calls, but it essentially will extract a properly formatted file and extract it. Fortunately, they use a non-standard file format so someone has to jump through some hoops to create the file.
- 1/14/2016 Requested contact information
- 1/15/2016 Received contact information and disclosure sent
- 1/17/2016 Response received saying they are working on a fix
- 2/12/2016 Fixed version released