Everyone Loves Good Backup Systems to ensure in event of anything you are back to business ASAP. This however can be your biggest downfall if done wrong. As of Yesterday (2014-10-09), WordPress Ready! Backup Plugin has this done wrong By Breaking two rules of the web:
- Logging Backup Process to a Web Viewable Interface on a text file
- Creating Backups and storing them within the main Application which is also web vieweable
- Failure to protect Backup Directory itself from things like: Directory Listing,unauthenticated / aribtrary downloads
This is still working against many wordpress users in the wild. Takes a 3 Step Process:
- Google It – (Credits for Dork go to: Pro Mast3r)
- Read the Text
- Heist a Site
Google It
This is done using : Google Dorks. The Dork to use in this particular instance.
inurl:/wp-content/upready/
If you use it and you want to check for your site specifically as a case of the problem . add the site parameter.
inurl:/wp-content/upready/ site:yoursite.com
Read The Text File
The search above leads to indexed files mostly text files for those with directory listing disabled and sql as well as zip files for those with Directory Listing Enabled.
The text Files are however most interesting as they also have an additional problem : Full Path Disclosure. i.e. where exactly a site is hosted , this means that cPanel usernames can be extracted from the list. Well let your creativity guide you there.
The text Files are structured as below:
From the above we see:
cPanel Username: d5069024******
Virtual Host Number: 21
Site Backup Name: backup_2014_05_06-19_54_12_id3.zip
SQL Backup Name: backup_2014_05_06-19_54_12_id3.zip
Backup Date: 6th May 2014
Even if Directory Listing is disabled we can still get it based on the path.
Heist A Site
This goes without saying someone can simply download your website and database and alot can happen from here depending on intent.
- Access MySQL Remotely based on credentials in the backup through the file wp-config.php. If remote MySQL is enabled.
- Crack Passwords if easy for the Users in the SQL Dump and login to actual site.
- Replicate Your Corporate Image even if not for legitimate use hence destroying your brand.
Quick Fix
An organization that uses this system has a lot to lose. A quick fix though if one loves the product.
- Configure or ask a developer to ensure the plugin moves backups outside the webroot as well as logs.
- Write a htaccess rule to protect the folder , though keep in mind in the right conditions htaccess rules can be bypassed.
Disable Directory Listing
Options -Indexes
Block File Downloads from the directory Place this in your wp-content/upready Folder:
<FilesMatch “.*”>
Order Allow,Deny
Deny from All
</FilesMatch>
As for the text files to prevent them from being read , you can use the following rules:
<Files ~ “\.txt$”>
Order allow,deny
Deny from all
</Files>
Alternatively instead of a 403 you can make a file not found which works better with crawlers.
RedirectMatch 404 \.txt$