| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <69b47644-696e-21cd-42b6-eb26954aa2fd@evolution-hosting.eu> Date: Fri, 27 Sep 2019 21:23:49 +0200 From: Fulldisclosure Team <fulldisclosure@...lution-hosting.eu> To: fulldisclosure@...lists.org Subject: [FD] Duplicator Pro <= 1.3.14: Local Information Disclosure Product: Duplicator Pro Vendor: SnapCreek Website: https://snapcreek.com/ Discovered by: Evolution Hosting Version vulnerable: <= 1.3.14 Fixed in: 1.3.15+ Vulnerability Type: Information Disclosure, local exposure of entire webinstallation content remotely triggerable: not for itself. Needs wp admin interaction. O== Advise Update to 1.3.15+ version We did not test for a possible CSRF combination (i.e. with other plugins ) to lever it to a remote executable attack. Updating your Wordpress Plugins regularly is a smart idea in general. O== Timeline: 25.06.2019 - problem detected 26.06.2019 - vendor contacted 27.06.2019 - first vendor reaction 05.07.2019 - silent patched version made public by vendor 05.07.2019 - working fix confirmed 26.09.2019 - 90day timer run out O== Description: Duplicator( Pro ) can import/export/backup Wordpress installations. While restoring the path after an import/restore, the directory mode of the apphome is made public, if they were private before. O== Tested Scenario: OS: Linux Apache PHP: CGI with user privilege seperation Docroot: "/home/username/public_html/" # ls -la /home/ | grep username drwxr-x--- 5 username webservices 4096 25. Jun 14:13 username After Duplicator has done its import/restore: drwxr-xr-x 5 username webservices 4096 25. Jun 14:17 username which opens the home directory of this webapp for any other systemuser. As fileaccessrules usually are relaxed inside a "home" directory, the entire content along the installation path could be exposed, if the pathpart was app owned. This may include database credentials for wp and other apps for the same user. O== Temp Fix: If you have a similar setup as our example above, execute after a restore: chmod o-rx /home/username O== Impact on none Linux systems Unkown. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists