WordPress plugin EZPZ One Click Backup Command Injection

2014.05.02
Credit: Henri Salo
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-3114
CWE: CWE-78
Dork: intext:plugins/ezpz-one-click-backup/


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Product: WordPress plugin EZPZ One Click Backup Vulnerability type: CWE-78 OS Command Injection Vulnerable versions: 12.03.10 and some earlier versions Fixed version: N/A Solution: Remove plugin Vendor notification: Contact details N/A WordPress plugins team notification: 2014-04-30 Risk: High CVE: CVE-2014-3114 Vulnerability Details: Contains a flaw that is triggered as input passed via the 'cmd' parameter in ezpz-archive-cmd.php is not properly sanitized. With a specially crafted request, an unauthenticated remote attacker can execute arbitrary commands directly on the operating system. http://plugins.svn.wordpress.org/ezpz-one-click-backup/tags/12.03.10/functions/ezpz-archive-cmd.php 1 <?php 2 if (isset($_GET['cmd'])){ 3 exec(urldecode($_GET['cmd'])); 4 tmp_write("<h2>Running zip page...<h2>"); 5 } 6 7 ?> Steps to reproduce: http://example.com/wp-content/plugins/ezpz-one-click-backup/functions/ezpz-archive-cmd.php?cmd=uptime Notes: Plugin can't be downloaded anymore by using WordPress admin panel or from links below, but still used by many as per: inurl:"/wp-content/plugins/ezpz-one-click-backup/" https://wordpress.org/plugins/ezpz-one-click-backup/ http://downloads.wordpress.org/plugin/ezpz-one-click-backup.latest-stable.zip From the developer's website 2012-04-27: """ Do to recent changes in the Dropbox API, EZPZ One Click Backup can no longer save files to Dropbox. I apologize but due to various reasons there will be no new versions released or further support for EZPZ OCB in the foreseeable future. For a reliable, inexpensive alternative I recommend trying MyRepono and the MyRepono Plugin. This service, while not entirely free (the fees are as low as 2&#162; a day for a small site), works great on WordPress sites as large as 5GB, maybe even larger. MyRepono gives a $5.00 credit when signing up for the service so there is no cost to try it out. Again, I apologize to all EZPZ One Click Backup users and wish you all the best. """ Might be related: http://wordpress.org/support/topic/plugin-ezpz-one-click-backup-possible-security-flaw --- Henri Salo

References:

http://seclists.org/oss-sec/2014/q2/221
http://wordpress.org/support/topic/plugin-ezpz-one-click-backup-possible-security-flaw
http://plugins.svn.wordpress.org/ezpz-one-click-backup/tags/12.03.10/functions/ezpz-archive-cmd.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top