# # # Backupbuddy - sensitive data exposure in importbuddy.php # # "the premiere WordPress backup plugin to backup, restore and move WordPress" # http://ithemes.com/purchase/backupbuddy/ # # known versions affected: v1.3.4, v2.1.4, v2.2.25, v2.2.28, v2.2.4, likely other versions also # # impact: # access to wordpress site and sql backups # disclosure of server configuration information # # author: robarmstrong.te71@gmail.com # summary The final step in the importbuddy backup restoration process is supposed to remove importbuddy.php from the root of the site, however this step often fails (most commonly as a result of filesystem permissions) allowing an attacker access to some or all of the functions and information provided by importbuddy.php. An access password for importbuddy does not appear to be a mandatory requirement. Forcing the user to set a password (and fixing the authentication bypass) would go some way to mitigating the risk of importbuddy.php not being deleted. # details The name of the backup file contains a random string intended to prevent an attacker from guessing its value. However if backup files are present, browsing to http://site/importbuddy.phpwill expose their filenames; these can then be used to download the files from the site: <select name="file" style="max-width: 590px;"> <option value="backup-zipfile-date-randomstring.zip">backup-zipfile-date-randomstring.zip</option> </select> The desired backup file can be retrieved with: wget http://site/backup-zipfile-date-randomstring.zip The backup consists of a zip archive containing the wordpress directory, complete with wp-config.php and often a .sql dump containing a full copy of the wordpress database and any other databases the backupbuddy plugin has been configured to include. Importbuddy also presents the option to upload a backup on step 1 of the restoration process, potentially allowing defacement or deletion and also trojanning the site if an existing backup is available. Additionally there are issues affecting the 'step' query string field. This has a differing impact depending on the version of Backupbuddy targeted: http://site/importbuddy.php?step=1 - Can be used to avoid the password check on step 1 (if a password has been set) by passing ?step=[2-7] - Steps 2 and 3 expose the full path of the wordpress install - Skipping to step 7 has the potential to erase the wordpress install (only known to affect v2.2.4) - Accessing http://site/importbuddy.php?step=0&action=phpinfo provides phpinfo information (confirmed on v2.2.25)