Share
Product: Duplicator Pro  
Vendor: SnapCreek  
Website: https://snapcreek.com/  
Discovered by: Evolution Hosting  
Version vulnerable: <= 1.3.14  
Fixed in: 1.3.15+  
  
Vulnerability Type: Information Disclosure, local exposure of entire  
webinstallation content  
  
remotely triggerable: not for itself. Needs wp admin interaction.  
  
O== Advise  
  
Update to 1.3.15+ version  
  
We did not test for a possible CSRF combination (i.e. with other plugins  
) to lever it to a remote executable attack. Updating your Wordpress  
Plugins regularly is a smart idea in general.  
  
O== Timeline:  
  
25.06.2019 - problem detected  
26.06.2019 - vendor contacted  
27.06.2019 - first vendor reaction  
05.07.2019 - silent patched version made public by vendor  
05.07.2019 - working fix confirmed  
26.09.2019 - 90day timer run out  
  
O== Description:  
  
Duplicator( Pro ) can import/export/backup Wordpress installations.  
While restoring the path after an import/restore, the directory mode of  
the apphome is made public, if they were private before.  
  
O== Tested Scenario:  
  
OS: Linux  
Apache PHP: CGI with user privilege seperation  
Docroot: "/home/username/public_html/"  
  
# ls -la /home/ | grep username  
drwxr-x--- 5 username webservices 4096 25. Jun 14:13 username  
  
After Duplicator has done its import/restore:  
  
drwxr-xr-x 5 username webservices 4096 25. Jun 14:17 username  
  
which opens the home directory of this webapp for any other systemuser.  
As fileaccessrules usually are relaxed inside a "home" directory, the  
entire content along the installation path could be exposed, if the  
pathpart was app owned.  
  
This may include database credentials for wp and other apps for the same  
user.  
  
O== Temp Fix:  
  
If you have a similar setup as our example above, execute after a restore:  
  
chmod o-rx /home/username  
  
O== Impact on none Linux systems  
  
Unkown.