Release Date: 28-Mar-2011

Last Update: 28-mar-2011

Vendor Notification Date: 25-Mar-2011

Product: BackWPup

Platform: PHP / WordPress

Affected versions: 1.6.1 (verified) and possibly others

Severity Rating: High

Impact: System Access

Attack Vector: Remote without authentication

Solution Status: Upgrade to version 1.7.1

CVE reference: Not yet assigned

Details

A vulnerability has been discovered in the WordPress plugin BackWPup 1.6.1 which can be exploited to execute local or remote code on the web server.
The Input passed to the component wp_xml_export.php via the “wpabs” variable allows the inclusion and execution of local or remote PHP files as long as a “_nonce” value is known. The “_nonce” value relies on a static constant which is not defined in the script meaning that it defaults to the value “822728c8d9”.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Upgrade to BackWPup 1.7.1

Discovered By

Phil Taylor from Sense of Security Labs.