WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Database Backup: Directory Traversal Vulnerability (35 posts)

  1. skippy
    Member
    Posted 8 years ago #

    There is a Bugtraq announcement about a directory traversal vulnerability in WP-DB Backup.

    I have confirmed that this exists. I do not have a fix at this time. Stay tuned for more details.

  2. yosemite
    Member
    Posted 8 years ago #

    Thanks for the heads-up.

  3. vkaryl
    Member
    Posted 8 years ago #

    Thanks, skippy. You are, as always, a class act.

  4. splanters
    Member
    Posted 8 years ago #

    Hey skippy, I know you're working on this (thanks for the heads up) But, for the time being, do you (or anyone else) have a recommendation as to what to do? What I mean is, will deactivate the plugin suffice or remove should it be removed completely?

  5. vkaryl
    Member
    Posted 8 years ago #

    My recommendation is now and always has been to not only NOT activate the plugin but to delete it. That's nothing to do with skippy, just because I'm a paranoid bitch, and I don't leave ANYTHING world-writeable.

  6. splanters
    Member
    Posted 8 years ago #

    lol @ vkaryl. I didn't take it as anything to do with skippy. That plugin of his saved my butt - twice ;) However, I would agree vkaryl - thanks for the info.

    Matter of fact, I'm heading over to skippy's site right now to drop a small donation. Might be nice if others would too as he's working hard to fix the issue (I do not work for skippy) :)

  7. vkaryl
    Member
    Posted 8 years ago #

    Yup. All too true. I realize that the world is full of folks who don't know how to get a db dump, but truthfully I do NOT think it's a kindness to hold their hands like this....

  8. splanters
    Member
    Posted 8 years ago #

    not sure what you mean by "I do NOT think it's a kindness to hold their hands like this..." but I assume you are talking about the security issue <shrug>

  9. vkaryl
    Member
    Posted 8 years ago #

    I'm talking about including with the distro a plugin that requires one leave a whole area of one's site world-writeable because a few people are too lazy to figure out how to do a database dump the normal way.

    [That falls within "being a bitch", btw.]

  10. skippy
    Member
    Posted 8 years ago #

    I renamed the file from wp-db-backup.php to something else. That way, when I replace the file with the fixed version I won't need to re-activate it. Of course this means that cron jobs won't run, but that shouldn't be a big deal for the time being.

    I honestly don't know whether WordPress allows execution of the plugin when accessed directly, even if the plugin has been disabled.

  11. skippy
    Member
    Posted 8 years ago #

    vkaryl: for the record, the original version of my plugin only required write access to the /backup/ directory inside /wp-content/ and then only for the web server, not for everyone.

    When Matt bundled WP-DB Backup with the core WordPress download, he modified it to use a semi-secret suffix on the directory name, so that folks couldn't guess the on-disk location of the backup files. This was a reasonable thing to do.

    The plugin tries to automatically make this directory, and dies if it cannot succeed. As such, the /wp-content/ directory needs to be writable. Again, it really only needs write access to the webserver, but the docs team seems to have found it easier to just tell people to make it world-writable.

    I questioned Matt about this, and his reply was "/wp-content/ was always meant to be writable." I disagree strongly with this position, myself, but it's out of my hands at this point. *sigh*

  12. splanters
    Member
    Posted 8 years ago #

    vkaryl,

    [That falls within "being a bitch", btw] yeah, I've noticed alot of that around here to be honest.

    I just don't see the need for being that way myself - I guess to each their own. I just figure this is a place to seek help - from newbie's to even seasoned veterans with really difficult sql issues (relating to wp)

    Personally, I think it a good thing to add the plugin to make it easier for people to save their work, until they graduate to learning to use phpmyadmin to grab the db dump - the easier wp is to use, the higher the adoption rate. And I apply the same logic to etiquette in the forms (tis why I've been a stickler I guess about "politeness" as of late - even if in the process I've ended up being a jerk too) wp is a great tool and I hate to see people driven away by a persons need to answer a question less nicely. I just don't understand the need - although, I don't spend all day every day around here... I have today to try and get a feel for what it's like.

    as for you being a bitch vkaryl... I don't think ya are ;) [of course, I don't know you and I certainly won't cross you] :)

  13. First off, let me address something in this announcement:

    You must have administrator rights in the wordpress blog to exploit this vulnerability.

    Administrator users are expected to be trusted users. I mean, this goes back to the whole security "exploit" where admins of a blog could post malicious Javascript into a post. :rolleyes:

    But then again, this does go a bit farther than that...

    I honestly don't know whether WordPress allows execution of the plugin when accessed directly, even if the plugin has been disabled.

    Well, I don't believe WordPress can stop that.

    But regardless, functions like get_settings() and such usually break plugins when called directly because they are defined in WordPress. But it's still a good idea to check permissions in plugins. ;)

  14. vkaryl
    Member
    Posted 8 years ago #

    I know, skippy. I made my distress about Matt's "position" known when it happened. What occurred is NOT YOUR FAULT. I guess those who have some major server difficulties with the obtaining situation should be pointed to Matt as far as blame, though I doubt he'll accept responsibility or offer redress. In this world, in this 'net culture, there IS NO EXCUSE for the way Matt allowed this to enter the script.

    [Oh, "someone" doesn't like my attitude? Hey, FIRE ME. Oh wait. I'm an unpaid volunteer....]

  15. vkaryl
    Member
    Posted 8 years ago #

    Vipe ol' buddy.... those admin rights are just not very "safe" these days....

  16. vkaryl
    Member
    Posted 8 years ago #

    splanters - yeah, I AM a bitch - and an old one at that. I just try to keep it to a dull roar around here any more.

  17. Vipe ol' buddy.... those admin rights are just not very "safe" these days....

    Heh, a valid point. ;)

  18. splanters
    Member
    Posted 8 years ago #

    that someone me vkaryl? I'm ok with that. just goes to show ya some people just get off being mean-spirited I guess, but I digress. Like being an unpaid volunteer is an excuse for being a bitch? Ok then...

  19. vkaryl
    Member
    Posted 8 years ago #

    Thing is, people don't really know what not to do. And telling them to make a folder world-writeable simply to make a database dump is sheer stupidity.

    For instance. A REAL host will make a database backup for you any time you ask. Now if you're hosting on the cheapest solution, there's a couple of things: first, you have almost no support, so you have no backups; second, believe me when I tell you that making any folder on your site world-writeable is going to be a bad thing - BECAUSE YOU HAVE NO HOST SUPPORT....

    Um. So I guess I'm preaching to the choir, ain't?

  20. vkaryl
    Member
    Posted 8 years ago #

    "that someone me vkaryl? I'm ok with that. just goes to show ya some people just get off being mean-spirited I guess, but I digress. Like being an unpaid volunteer is an excuse for being a bitch? Ok then..."

    Um. No. I was mostly meaning Matt. With whom I have already had some "words". Several times.

    How about you don't take offense until someone really points something at you, hmm?

  21. Michael Bishop

    Posted 8 years ago #

    Can someone expound on why admin rights are "not very safe these days"?

  22. splanters
    Member
    Posted 8 years ago #

    vkaryl

    fair enough...

  23. vkaryl
    Member
    Posted 8 years ago #

    Because people tend to give admin rights to totally unsuitable folks. And then they get upset because those totally unsuitable folks do stuff that trashes their blog....

    Alternatively, they don't use good passwords, and then some crack program allows entry which is also not a good thing, of course.

    Does this mean these people who do this sort of silliness will be better protected by allowing write access to areas on their domains? No, certainly not.

    What it means is that NO ONE should hand-hold people who want to use wp. The basic things everyone using wp should know:

    1. NEVER give anyone admin access to your blog unless you are holding their firstborn hostage.

    2. Use a "quality password" generator religiously.

    3. NEVER leave any folder world-writeable.

    4. Learn how to use the available options for managing your blog. YOU are responsible for its security. If necessary, YOUR HOST should be able to help you with this; it should never be an option for any script or program to allow 777 (world writeability) to be set on its folders or files; and in fact any program or script which does so should be considered suspect by your host provider.

    People who need hand-holding like that should be shuffled off to squarespace or whoever.

  24. Michael Bishop

    Posted 8 years ago #

    So are saying is that if a user is the sole admin, and uses a solid password, that this vulnerability is not neccessarily at defcon 10?

    And I'd like to leave the world writablity out of the equation, for another thread.

  25. vkaryl
    Member
    Posted 8 years ago #

    Well, if a user is the sole admin, and the password is solid (24+characters, using a decent password gen) and the machine used for normal access is not open/suspect, I would personally consider it "okay" - maybe not perfect, but at least not readibly accessible - assuming no 777 folders (fine, do another thread, but that's still the "meat" of this one in a way....)

    Um. What's "defcon 10"?

  26. skippy
    Member
    Posted 8 years ago #

    "defcon" is Defense Condition.

    Ryan Boren cooked up a fix for the directory traversal vulnerability. Download it here.

  27. Michael Bishop

    Posted 8 years ago #

    Will this work with the Cron jobs then?

  28. vkaryl
    Member
    Posted 8 years ago #

    Ah. Thanks, skippy.... I don't pay any attention to stuff like that. I don't do movies at all. And if they're going to blow me away tomorrow, how is knowing about it today going to help? Guess that's one nice thing about being "old"....

  29. skippy
    Member
    Posted 8 years ago #

    miklb: I don't see why not. The modifications Ryan made only check to ensure that directory traversal isn't happening (using "../" in the file name to move up the directory tree). The cron job backups shouldn't be doing anything like that.

  30. petit
    Member
    Posted 8 years ago #

    World writability really sounds scary, and I think it would be a good idea to give the user community some solid advice as to what is the necessary permissions.
    Making a backup with Skippys plugin is convenient, and I think it should stay in.

    I use it all the time, and I'll continue doing so, lazy as I am. I don't wp-cron it, just activate it for a few seconds to make the backup and then close it down.

    I feel safe with that, and to reiterate:

    Description:
    WP-DB Backup is vulnerable to directory traversal attack.
    You must have administrator rights in the wordpress blog to exploit this vulnerability.

Topic Closed

This topic has been closed to new replies.

About this Topic