Direct call of meb_download.php with going over archive zip file names allows to intruder get full blog archive including wp-config.php without any permissions.
You must to fix this ASAP.
Read with more details at
http://www.shinephp.com/myeasybackup-plugin-breaks-wordpress-security
[Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP. (4 posts)
-
Vladimir Garagulya
Posted 3 years ago #
-
camaleo
Posted 3 years ago #
Hi,
going to release version 0.0.3 in the next 15 minutes. Added the following code at the beginning of meb_download.php
<br /> $tmp = explode('://', $_SERVER['HTTP_REFERER']);<br /> $path = explode('/', $tmp[1]);<br /> $referer = $path[0];<br /> if( ($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'])<br /> ||<br /> ($_SERVER['HTTP_HOST'] != $referer)<br /> ||<br /> ($_SERVER['SERVER_NAME'] != $referer) )<br /> {<br /> return;<br /> }<br />that should fix the issue, can you please confirm?
Thanks
-
Posted 3 years ago #
Hi,
I use more simple decision - check if some of WordPress functions or constants is defined, if it doesn't, then stop execution, e.g.
if (! defined("WPLANG")) { die; // Silence is golden, direct call is prohibited } -
Posted 3 years ago #
your are right, but I needed to avoid the 'headers already sent' issue, so had to directly load the page ;-)
Topic Closed
This topic has been closed to new replies.
