WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP. (4 posts)

  1. Vladimir Garagulya
    Member
    Posted 4 years ago #

    Direct call of meb_download.php with going over archive zip file names allows to intruder get full blog archive including wp-config.php without any permissions.
    You must to fix this ASAP.
    Read with more details at
    http://www.shinephp.com/myeasybackup-plugin-breaks-wordpress-security

    http://wordpress.org/extend/plugins/myeasybackup/

  2. camaleo
    Member
    Posted 4 years ago #

    Hi,

    going to release version 0.0.3 in the next 15 minutes. Added the following code at the beginning of meb_download.php

    <br />
    $tmp = explode('://', $_SERVER['HTTP_REFERER']);<br />
    $path = explode('/', $tmp[1]);<br />
    $referer = $path[0];<br />
    if(	($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'])<br />
    		||<br />
    	($_SERVER['HTTP_HOST'] != $referer)<br />
    		||<br />
    	($_SERVER['SERVER_NAME'] != $referer) )<br />
    {<br />
    	return;<br />
    }<br />

    that should fix the issue, can you please confirm?

    Thanks

  3. Vladimir Garagulya
    Member
    Posted 4 years ago #

    Hi,

    I use more simple decision - check if some of WordPress functions or constants is defined, if it doesn't, then stop execution, e.g.

    if (! defined("WPLANG")) {
      die;  // Silence is golden, direct call is prohibited
    }
  4. camaleo
    Member
    Posted 4 years ago #

    your are right, but I needed to avoid the 'headers already sent' issue, so had to directly load the page ;-)

Topic Closed

This topic has been closed to new replies.

About this Topic