28 Oct

Vulnerability Details: Cross-Site Request Forgery (CSRF) Vulnerability in WP Database Backup

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

The changelog entry for version 4.3.6 of the WP Database Backup states that “Fixed CSRF vulnerabilities issue (suggestion by Tristan)”. Looking at the changes made in that version the fix is easy to spot.

The code changes several links to include nonces, for example the link the code that creates the link to “Create New Database Backup” was changed from this in 4.3.5 (in the file /includes/admin/class-wpdb-admin.php):

echo '<a href="' . site_url() . '/wp-admin/tools.php?page=wp-database-backup&action=createdbbackup" class="btn btn-primary"><span class="glyphicon glyphicon-plus-sign"></span> Create New Database Backup</a>'

to this in 4.3.6:

$nonce = wp_create_nonce( 'wp-database-backup' ); 
 echo '<a href="' . site_url() . '/wp-admin/tools.php?page=wp-database-backup&action=createdbbackup&_wpnonce='.$nonce.'" class="btn btn-primary"><span class="glyphicon glyphicon-plus-sign"></span> Create New Database Backup</a>';

Including the nonce in the URL doesn’t make any difference if you don’t properly check its validity and the code to do that was also added in 4.3.6:

106
if (isset($_REQUEST['_wpnonce']) &amp;&amp; wp_verify_nonce($nonce, 'wp-database-backup' ) ) {

What that means in practical terms is that in version 4.3.5 and versions below, if you could get a logged in Administrator to visit the URL /wp-admin/tools.php?page=wp-database-backup&action=createdbbackup you could have caused them to create a new database backup.

The same change was made to the links to “Remove Database Backup” and “Restore Database Backup” for individual database backups. And also for the “Clear all old/temp database backup files” link.

Proof of Concept

The following proof of concept will cause a database backup to be created when accessed by an Administrator level account

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/tools.php?page=wp-database-backup&action=createdbbackup

Leave a Reply

Your email address will not be published. Required fields are marked *