Information Disclosure Vulnerability in FastDup
We recently had a hacker probing for usage of the WordPress plugin FastDup on our website with the following request:
/wp-content/plugins/fastdup/readme.txt
There are two recent claims of vulnerabilities in the plugin. While looking to see if those might explain a hacker’s interest in the plugin, we found that it looks one of the issues hasn’t been fully fixed. We still need to confirm that. That additional issue doesn’t seem to be one hackers would target.
One of the vulnerabilities would be really serious if what was claimed about it was true. The discoverer, WordPress security provider CleanTalk, titled the vulnerability “Unauth Sensitive Data Exposure and Database/ Users password leak.” They further state:
More alarmingly, it allows unauthorized access to sensitive data housed within the database, including user passwords.
That sort of overstated claim was repeated by WPScan, which titled the vulnerability, “Directory Listing to Account Takeover and Sensitive Data Exposure.”
WordPress doesn’t store user passwords in the database, it stores hashes, which CleanTalk seems to be aware of, as they wrote right after the previous sentence we quoted:
The severity of this flaw is exemplified by the imminent threat it poses, creating a gateway for potential brute force attacks on password hashes and, consequently, the entire compromise of the system.
What is actually going on here is less concerning than made out. As CleanTalk acknowledged, there is no issue, unless a server is set to list the files in a directory if there is no index file, which is normally not how they are configured:
Directory listing vulnerabilities, such as the one discovered in FastDup, occur when a web server is configured to show the contents of a directory when no index file is present.
If a server was configured that way, then you could see the randomized names of backup files from this plugin and then can access them. That would allow accessing backups of the database. So a vulnerability certainly, but it wouldn’t easily lead to an account takeover and would not expose user’s passwords, just the hash of their passwords.
The solution for this was to add index.html files to various directories created by the plugin, like this:
70 71 72 | if( ! file_exists( $path_archive_dir ) . '/index.html' ) { @file_put_contents( $path_archive_dir . '/index.html', '' ); } |
That way, if the server is configured to show a directory listing when there isn’t an index file, that won’t happen as there is an index file.
In checking into this, we also found that information on the versions impacted is somewhat misleading. The developer released version 2.1.9 that addressed this for new users of the plugin and then released 2.2, which addressed it for existing users.
What Hackers Would Target
The directory that a hacker would request to see the names of the backups that have been made is /wp-content/njt-fastdup/packages/. If you request that directory on your website and you see a listing of files, you are still vulnerable.
Free Warning
As this vulnerability looks to be targeted by hackers, we are adding accurate data on it to the free data that comes with our Plugin Vulnerabilities plugin.