Hacker Targeted WordPress Backup Plugin Didn’t Actually Get Fix for Log File Disclosure
Two days ago, we discussed one vulnerability that was recently fixed in the WordPress backup plugin FastDup, while looking into why a hacker might be targeting the plugin. There was another vulnerability that was supposed to have been fixed. Patchstack claimed that there had been a sensitive data exposure via log file vulnerability in the plugin. As usual, they didn’t provide the information needed to check if the vulnerability was real and if it was real, it had been fixed. It appears either they got some basic details wrong about the vulnerability and it wasn’t fixed or what they were claiming was a vulnerability wasn’t a vulnerability, but there was a similar vulnerability really in the plugin. Confused? So are we. So let’s go through what we found.
The vulnerability was supposed to be fixed in version 2.1.8 of the plugin. The change made in that version was to modify an additional value added to filenames of files created by the plugin from the current time using the PHP function time() to a randomly generated value. That would make it harder to guess the names of files, but with either one, it isn’t something that would be easy to guess, unless you knew when a backup was made. The files should be blocked from being accessed directly, so the name shouldn’t even matter.
Making the vulnerability claim more confusing, that also impacted the names of backup files. Yet Patchstack is saying the issue is only with log files. So who knows what is going on there?
While looking in to the claimed vulnerabilities in the plugin, as part of determining what a hacker might be interested in, we noticed that the plugin allows viewing log files through the WordPress REST API. We thought that might be related to what was at issue with Patchstack’s claim, based on the vulnerability name used. Looking into that further, we found that functionality is still vulnerable.
The plugin’s admin page is limited to users with the manage_options capability, so only Administrators:
128 129 130 131 | $this->hook_suffix['njt_fastdup_page'] = add_menu_page( __('FastDup', 'njt-fastdup'), __('FastDup', 'njt-fastdup'), 'manage_options', |
The REST API registration for viewing the logs (as well as all the other registrations) have there permission_callback, which is used to restrict access to them, set to the function njt_fastdup_permissions_check():
97 98 99 100 101 | register_rest_route($namespace, "/packages/view-log", array( 'methods' => 'GET', 'callback' => array($this, 'view_log'), 'permission_callback' => array($this, 'njt_fastdup_permissions_check'), )); |
That function checks if the users have the edit_posts capability:
346 347 348 349 | public function njt_fastdup_permissions_check($request) { return current_user_can('edit_posts'); } |
That is a capability that users down to the Contributor level have. So lower-level WordPress users can view the log files. It doesn’t appear they are supposed to be able to do that, though.
We reached out to the developer to let them know there still is an issue and offered to help them address this.