[Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP. | WordPress.org

Vladimir Garagulya
(@shinephp)

14 years, 1 month ago

Direct call of meb_download.php with going over archive zip file names allows to intruder get full blog archive including wp-config.php without any permissions.
You must to fix this ASAP.
Read with more details at
http://www.shinephp.com/myeasybackup-plugin-breaks-wordpress-security

http://wordpress.org/extend/plugins/myeasybackup/

Viewing 3 replies - 1 through 3 (of 3 total)

ugosinhache
(@camaleo)

14 years, 1 month ago
Hi,

going to release version 0.0.3 in the next 15 minutes. Added the following code at the beginning of meb_download.php
```
<br />
$tmp = explode('://', $_SERVER['HTTP_REFERER']);<br />
$path = explode('/', $tmp[1]);<br />
$referer = $path[0];<br />
if(	($_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'])<br />
		||<br />
	($_SERVER['HTTP_HOST'] != $referer)<br />
		||<br />
	($_SERVER['SERVER_NAME'] != $referer) )<br />
{<br />
	return;<br />
}<br />
```
that should fix the issue, can you please confirm?

Thanks
Thread Starter Vladimir Garagulya
(@shinephp)

14 years, 1 month ago
Hi,

I use more simple decision – check if some of WordPress functions or constants is defined, if it doesn’t, then stop execution, e.g.
```
if (! defined("WPLANG")) {
  die;  // Silence is golden, direct call is prohibited
}
```
ugosinhache
(@camaleo)

14 years, 1 month ago

your are right, but I needed to avoid the ‘headers already sent’ issue, so had to directly load the page 😉

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘[Plugin: myEASYbackup] Plugin has a critical vulnerability. Must fix ASAP.’ is closed to new replies.

Tags

break

In: Requests and Feedback
3 replies
2 participants
Last reply from: ugosinhache
Last activity: 14 years, 1 month ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics