Product: Duplicator Pro
Discovered by: Evolution Hosting
Version vulnerable: <= 1.3.14
Fixed in: 1.3.15+
Vulnerability Type: Information Disclosure, local exposure of entire
remotely triggerable: not for itself. Needs wp admin interaction.
Update to 1.3.15+ version
We did not test for a possible CSRF combination (i.e. with other plugins
) to lever it to a remote executable attack. Updating your Wordpress
Plugins regularly is a smart idea in general.
25.06.2019 - problem detected
26.06.2019 - vendor contacted
27.06.2019 - first vendor reaction
05.07.2019 - silent patched version made public by vendor
05.07.2019 - working fix confirmed
26.09.2019 - 90day timer run out
Duplicator( Pro ) can import/export/backup Wordpress installations.
While restoring the path after an import/restore, the directory mode of
the apphome is made public, if they were private before.
O== Tested Scenario:
Apache PHP: CGI with user privilege seperation
# ls -la /home/ | grep username
drwxr-x--- 5 username webservices 4096 25. Jun 14:13 username
After Duplicator has done its import/restore:
drwxr-xr-x 5 username webservices 4096 25. Jun 14:17 username
which opens the home directory of this webapp for any other systemuser.
As fileaccessrules usually are relaxed inside a "home" directory, the
entire content along the installation path could be exposed, if the
pathpart was app owned.
This may include database credentials for wp and other apps for the same
O== Temp Fix:
If you have a similar setup as our example above, execute after a restore:
chmod o-rx /home/username
O== Impact on none Linux systems