lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 27 Sep 2019 21:23:49 +0200
From: Fulldisclosure Team <fulldisclosure@...lution-hosting.eu>
To: fulldisclosure@...lists.org
Subject: [FD] Duplicator Pro <= 1.3.14: Local Information Disclosure


Product: Duplicator Pro
Vendor:  SnapCreek
Website: https://snapcreek.com/
Discovered by: Evolution Hosting
Version vulnerable: <= 1.3.14
Fixed in: 1.3.15+

Vulnerability Type:  Information Disclosure, local exposure of entire
webinstallation content

remotely triggerable: not for itself. Needs wp admin interaction.

O== Advise

Update to 1.3.15+ version

We did not test for a possible CSRF combination (i.e. with other plugins
) to lever it to a remote executable attack. Updating your Wordpress
Plugins regularly is a smart idea in general.

O== Timeline:

25.06.2019 - problem detected
26.06.2019 - vendor contacted
27.06.2019 - first vendor reaction
05.07.2019 - silent patched version made public by vendor
05.07.2019 - working fix confirmed
26.09.2019 - 90day timer run out

O== Description:

Duplicator( Pro ) can import/export/backup Wordpress installations.
While restoring the path after an import/restore, the directory mode of
the apphome is made public, if they were private before.

O== Tested Scenario:

OS:         Linux
Apache PHP: CGI with user privilege seperation
Docroot:    "/home/username/public_html/"

# ls -la /home/ | grep username
drwxr-x---    5 username webservices 4096 25. Jun 14:13 username

After Duplicator has done its import/restore:

drwxr-xr-x    5 username webservices 4096 25. Jun 14:17 username

which opens the home directory of this webapp for any other systemuser.
As fileaccessrules usually are relaxed inside a "home" directory, the
entire content along the installation path could be exposed, if the
pathpart was app owned.

This may include database credentials for wp and other apps for the same
user.

O== Temp Fix:

If you have a similar setup as our example above, execute after a restore:

chmod o-rx /home/username

O== Impact on none Linux systems

Unkown.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists