Home » WordPress » Page 6

Category: WordPress

Backup Guard < 1.0.3 Logged in users can upload arbitrary files

by James Golovich

Backup Guard is one of many WordPress plugins to designed to backup your site. The free version on wordpress.org claims to have 20,000+ active installs, there is no indication of how many installs the non-free version has. After disclosing this information the developer sent me a copy of the paid version, but I have not had time to investigate that code.

As of today, the included ChangeLog still does not have any release notes related to this version and I have not seen any announcements of any security issues.

I noticed several issues related to their handling of AJAX requests. One of them allowed a non-authenticated user to trigger a manual backup. Though by default it uses .htaccess to keep anyone from accessing the backup files directly. With the paid version it might have been possible to pass in a remote location to backup the file to, but I did not have the code available when I did my initial analysis to determine if that was possible.

The other AJAX commands required a valid WordPress account (not just admin), none of the commands did any further authorization so a normal user could do any of the actions. There are lots of actions to choose from, the most interesting to me was ‘backup_guard_importBackup’.

Read more

Visser Labs WordPress Plugins Multiple Vulnerabilities

by James Golovich

Last week there was a vulnerability published for the WooCommerce Store Toolkit WordPress plugin from Visser Labs. I’ll often take a look at vulnerabilities and how they are resolved. In this case I noticed that the fix only covered one part and furthermore other plugin were vulnerable to similar issues. Kudos to Michael Visser for taking all these issues in stride and getting them resolved quickly.

The following plugins all had similar vulnerabilities that have been resolved.

WooCommerce – Store Exporter

The most serious vulnerability is in this plugin. The woo_ce_admin_init() function is hooked by the ‘admin_init’ WordPress action (which happens when anything under the admin interface is loaded, not when an admin is logged in). The function checks the ‘action’ HTTP variable (GET or POST) and will perform many actions without further authorization.

The ‘export’ action does attempt to check a nonce but there is a small bug that renders it useless.

visser-exporter-export

Because of the &&, if $_POST[‘woo_ce_export’] is never passed in then the nonce will not be checked. Which allows all kinds of fun stuff to be exported.

Timeline

  • 2/8/2016 Original advisory posted
  • 2/9/2016 Sent additional information
  • 2/10/2016 Updated versions released

Simple Download Monitor 3.2.8 Security Vulnerability

by James Golovich

The WordPress plugin Simple Download Monitor has a few security vulnerabilities that allows unauthenticated users to list all uploaded files, delete thumbnails associated with them, and uploaded files with password protection can be download without entering a password.

As of 1/19/2016 the wordpress.org information says there are 10,000+ active installs of this plugin.

The vendor Tips and Tricks HQ has released version 3.2.9 to resolve this issue.

List all uploaded files

Unauthenticated AJAX allows any user to access the ‘sdm_tiny_get_post_ids’ action which will return a JSON encoded list of all ‘post_id’ and ‘post_title’ that were uploaded with the Simple Download Monitor plugin. In many cases these files are publicly visible already so this isn’t a major security issue in most cases.

sdm_ajax_list

Delete thumbnails

Unauthenticated AJAX calls again allow any unauthenticated user to delete thumbnail images that were added using this plugin via the ‘sdm_remove_thumbnail_image’ action.

sdm_ajax_delete

Download files without password protection

This is the biggest security issue here, they do provide an AJAX command that verifies the post password to allow downloading the file but there is also this backdoor method to access the file that can be used without any password verification. Though the access is logged if logging is enabled.

sdm_view_init

Early on by the ‘init’ action the handle_sdm_download_via_direct_post() function is called. Which then takes the supplied ‘download_id’ and retrieves the post containing a file.

sdm_download_part1

After the bit of logging it finally happily redirects the user to the proper download URL.

sdm_download_part2

One additional note, these files are not actually password protected, just the posts that contain them. So if someone has the direct URL to a file they can download it without any further authorization.

It’s always wise to ensure that any request is properly authorized.

Timeline

  • 1/12/2016 2:16pm Initial contact email sent to find appropriate security/developer contact
  • 1/12/2016 10:16pm Vendor responds with contact information
  • 1/13/2016 10:16am Complete disclosure sent
  • 1/14/2016 7:31pm Vendor reply stating they are working on issue and requested more information
  • 1/16/2016 7:37pm Vendor reply stating a new version has been released