sysmonk blog

On August 15 WordPress 2.6.1 was released – i haven’t updated my blog because the update didn’t have any improvements i needed.

A few days ago, some guy in #wordpress @freenode mentioned a WordPress Automatic Upgrade plugin – so i thought i’ll give it a try and update my blog using it.

Downloading and installing the plugin was easy ( as it always is ). The plugin offered me to upgrade my wordpress install from 2.6.0 to 2.6.1 – i’ve agreed.

WPAU (WordPress Automatic Upgrade) backuped the files and database, and offered me to download it – good.

Then it downloaded the update, put the website into maintenance mode, disabled all plugins, upgraded the install, and re-activated the plugins.

The update went smooth. Everything works! WPAU also offered to remove the backups – and, from my personal experience, i know that not everybody chooses to remove the backups. That’s where the problem starts…

WPAU generates a random file name for backups in wpau-backup directory – that’s fine. But if you have directory indexing turned on ( default in most of the places ) – everyone who will go to your blog’s wpau-backup directory will see the backup files, and will be able to download them! That’s bad.

Now, what’s in the backups ? Backups have your blog’s root directory with all kind of stuff, but most interesting is wp-config.php … which has your MySQL’s database password inside …

As most sites have phpMyAdmin available for maintenance – you can use that stuff to create new wordpress user with admin privileges, change the admins password/email, change the content of the blog – in other words, almost anything.

If the site doesn’t have phpMyAdmin or remote MySQL access – you will get the database backup, with all the useful information inside, all the password-protected posts and etc.

Next thing, if you do have directory indexes OFF – then there’s another problem – WPAU leaves a file behind it with lots of useful information, and the file is accessible to everybody. Filename won’t be published here, but it’s not a big deal to find out which file it is.

That file has plenty of nice useful information:

• file system paths to your blog installation
• file list in your blog directory
• ful list of enabled WordPress plugins
• path to the random file name having your WordPress backups!

So, even if You have indexing turned off – full url to your backups is available to everybody.

So, the minimum information disclosure WPAU does is paths to your blog installation, maximum – full access to your database or even ftp account.

So, for a PoC let’s see what information does WPAU authors home page give out.

So, the full path to the blog is: /home/.anubis/keithdsouza/techie-buzz.com

The full list of activated plugins follows:

404-notifier/404-notifier.php
MyAvatars/myavatars.php
ST_AddRelated2Feed.php
adsense-injection.php
akismet/akismet.php
all-in-one-seo-pack/all_in_one_seo_pack.php
better-comments-manager/better-comments-manager.php
better-tags-manager/better-tags-manager.php
brianslatestcomments.php
briansthreadedcomments.php
cforms/cforms.php
comment-relish.php
diggthis1.1.3.php
download-counter.php
easygravatars/easygravatars.php
feedburner_feedsmith_plugin_2.2/FeedBurner_FeedSmith_Plugin.php
full-text-feed/full_feed.php
future_calendar.php
google-analyticator/google-analyticator.php
google-sitemap-generator/sitemap.php
increase-sociability/increase-sociability.php
kb-robotstxt/kb-robots-txt.php
kontera/kontera.php
live-comment-preview/live-comment-preview.php
loginlockdown/loginlockdown.php
math-comment-spam-protection/math-comment-spam-protection.php
mydashboard/mydashboard.php
no-self-ping/no-self-pings.php
notify-unconfirmed-subscribers/notify-unconfirmed-subscribers.php
ozh-better-feed/wp_ozh_betterfeed.php
plugin-central/plugin-central.php
pmetrics-wordpress.php
popularity-contest/popularity-contest.php
psychic-search/psychic-search.php
recent-posts/recent-posts.php
related-posts.php
runPHP/runPHP.php
seo-title-tag/seo-title-tag.php
show_top_commentators.php
simple-forum/sf-control.php
sitemap-generator/sitemap-generator.php
srg_clean_archives.php
stats/stats.php
subscribe-to-comments/subscribe-to-comments.php
subscriber-gadget.php
techie-social/techie-social.php
technorati-rank/technorati-rank.php
top10.php
tpbc.php
what_would_seth_godin_do.php
wp-admin-fluency/wp-admin-fluency.php
wp-cache/wp-cache.php
wp-contact-form/wp-contactform.php
wp-db-backup/wp-db-backup.php
wp-page-numbers/wp-page-numbers.php
wp-reinvigorate.php
wp-subscribed.php

The random filename for database backup is: wpau-db-backupHmttozkA.zip

The random filename for files backup is: wpau-files-bak-wfxtiEGj.zip

Although, the file doesn’t exist (it was cleaned up), but if it would  exist and directory indexing would be off – you could download the database backup directly.

Tried to use this stuff on a few blogs and 30% of them didn’t have the backup files removed, and i could download them using the random file name i’ve got from wpau’s leftover files.

The author of the plugin was informed about this on 2008-08-18.

This was fixed on 2008-08-21 with WordPress Automatic Upgrade 1.2.2

This entry was posted on Thursday, August 21st, 2008 at 5:13 pm and is filed under IT. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.