Security vulnerabilities can appear at any time, even in well-established plugins such as iThemes BackupBuddy. This long read post focuses on CVE-2022-31474, a recently discovered directory traversal vulnerability that affects version 8.5.8. up to and including 8.7.4.1 of iThemes BackupBuddy plugin, which is widely used for backing up and migrating WordPress sites.

Directory traversal is a type of vulnerability that allows attackers to access restricted directories and read sensitive files by manipulating input paths. In this particular case, attackers can exploit this vulnerability to gain unauthorized access to a website's backup files.

Exploit Details

The directory traversal vulnerability exists within the BackupBuddy plugin's remote file restore functionality, which allows authenticated users to restore backup files to an arbitrary directory. The exploit occurs when an attacker manipulates the input path that specifies where the backup should be restored, effectively bypassing security measures in place and gaining access to sensitive files.

In the affected versions, when processing the user-supplied parameter "abspath", the plugin code improperly sanitized the input before using it in the "restoreFile()" function.

Here's a code snippet of the vulnerable function

function restoreFile($file, $abspath, $newpath) {
    // ... (other code)
    
    $restorepath = $abspath . '/' . $newpath;
    
    // ... (other code)
    
    if ( !is_file( $restorepath ) ) {
        copy( $file, $restorepath );
    }
    
    // ... (other code)
}

By providing a specially crafted "abspath" parameter, an attacker can modify the "restorepath" variable, leading to a directory traversal attack.

Exploit Example

1. Assume that the attacker has obtained a valid authentication token, which is required to call the "restoreFile()" function.
2. The attacker then crafts a malicious "abspath" parameter: "../../../wp-content/uploads/"
3. When calling the "restoreFile()" function with the malicious "abspath", the malicious path is concatenated with the "newpath" variable, resulting in the "restorepath" being set to a location outside of the intended scope, such as the "wp-content/uploads" directory where sensitive backup files reside.
4. As a result, the attacker can now access the sensitive files and potentially use them for further exploitation.

The impact of this vulnerability is that sensitive information can be leaked, leading to further attacks like privilege escalation or unauthorized access to the website's administration.

Mitigation

It is crucial to update the iThemes BackupBuddy plugin to the latest version (8.7.4.2 or higher) to mitigate the risk of this vulnerability. The company has already addressed this issue by implementing proper input validation in the later versions.

- CVE-2022-31474 description
- iThemes BackupBuddy Security Advisory

Conclusion

Stay informed about security vulnerabilities and updates to protect your WordPress sites from potential attacks. By ensuring you are using the most up-to-date software and applying the appropriate security measures, you can minimize the risks associated with vulnerabilities like CVE-2022-31474. Together, we can maintain a safer and more secure web environment.

Timeline

Published on: 03/13/2023 14:15:00 UTC
Last modified on: 03/16/2023 20:05:00 UTC