Wednesday, January 20, 15:59
Home security Duplicator WordPress Plugin: Error Endangers 1 Million Websites!

Duplicator WordPress Plugin: Error Endangers 1 Million Websites!

Duplicator WordPress Plugin: Error Compromising 1 Million Websites: Detecting vulnerable WordPress plugins seems to have stopped lately.

New research has revealed that the Duplicator WordPress plugin is an active one exploit. Duplicator is a plugin that makes it easy for webmasters to migrate WordPress web pages. It also allows administrators to download files created after admins create a new copy of the site.

At this point, an arbitrary download is detected malicious files.

How does this happen?

The download buttons result in a call to the WordPress AJAX handler with duplicator_download and a file parameter indicating the location of the file to be downloaded. When you click the button, the required file is downloaded and the user does not need to leave or reload his current page. Unfortunately, the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unverified users.

public static function duplicator_download () {$ file = sanitize_text_field ($ _ GET ['file']); $ filepath = DUPLICATOR_SSDIR_PATH. '/'. $ file; // Process download if (file_exists ($ filepath)) {// Clean output buffer if (ob_get_level ()! == 0 && @ob_end_clean () === FALSE) {@ob_clean (); } header ('Content-Description: File Transfer'); header ('Content-Type: application / octet-stream'); header ('Content-Disposition: attachment; filename = "'. basename ($ filepath). '"'); header ('Expires: 0'); header ('Cache-Control: must-revalidate'); header ('Pragma: public'); header ('Content-Length:'. filesize ($ filepath)); flush (); // Flush system output buffer try {$ fp = @fopen ($ filepath, 'r'); if (false === $ fp) {throw new Exception ('Fail to open the file'. $ filepath); } while (! feof ($ fp) && ($ data = fread ($ fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE))! == FALSE) {echo $ data; } @fclose ($ fp); } catch (Exception $ e) {readfile ($ filepath); } exit; } else {wp_die ('Invalid installer file name !!'); }

 

There are no restrictions on downloaded file paths. This has made it possible for an attacker to access files in different directories by submitting values ​​like ../../../file.php. The file parameter passes through sanitize_text_field and is appended to the DUPLICATOR_SSDIR_PATH constant of the plugin, but the directory transition was still possible.

function duplicator_init () {if (isset ($ _ GET ['action']) && $ _GET ['action'] == 'duplicator_download') {$ file = sanitize_text_field ($ _ GET ['file']); $ filepath = DUPLICATOR_SSDIR_PATH. '/'. $ file; // Process download if (file_exists ($ filepath)) {// Clean output buffer if (ob_get_level ()! == 0 && @ob_end_clean () === FALSE) {@ob_clean (); } header ('Content-Description: File Transfer'); header ('Content-Type: application / octet-stream'); header ('Content-Disposition: attachment; filename = "'. basename ($ filepath). '"'); header ('Expires: 0'); header ('Cache-Control: must-revalidate'); header ('Pragma: public'); header ('Content-Length:'. filesize ($ filepath)); flush (); // Flush system output buffer try {$ fp = @fopen ($ filepath, 'r'); if (false === $ fp) {throw new Exception ('Fail to open the file'. $ filepath); } while (! feof ($ fp) && ($ data = fread ($ fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE))! == FALSE) {echo $ data; } @fclose ($ fp); } catch (Exception $ e) {readfile ($ filepath); } exit; } else {wp_die ('Invalid installer file name !!'); }}} add_action ('init', 'duplicator_init');

 

The exploitation of this error allowed hackers access the credentials of the database of the targeted site. Later, the intruders could potentially access the database through these credentials.

WordPress Duplicator

The following Indicators of Compromise can be used to determine if your site has been compromised.

  • The traffic recorded by that IP address is considered suspicious:

77.71.115.52

  • The attacks in this campaign are issued via GET requests with the following query strings:
action = duplicator_download file = / .. / wp-config.php

 

Note: Because this vulnerability can be exploited through WP AJAX, it can be exploited via POST request. In this case, it is possible for the action parameter to be passed to the POST body instead of the query string. This will prevent the action = duplicator_download string from appearing in the HTTP logs. However, the file parameter must be passed as a query string and is a reliable index.

WordPress Duplicator

So make sure you complete the necessary updates to your WordPress website to stay safe. According to the researchers, the vulnerability affected versions of the Duplicator plugin until 1.3.28.

After her discovery vulnerability, developers who patched the error with plugin version 1.3.28 were updated. Despite the bug fix, about half a million sites have not updated plugin versions. Therefore, they remain exposed to attacks related to exploitation of this defect.

Update instantly so your website doesn't get hacked!

LEAVE ANSWER

Please enter your comment!
Please enter your name here

LIVE NEWS

LG is considering leaving the smartphone sector in 2021

After losing about $ 4,5 billion in the last five years, the smartphone company LG struggled to compete with its rivals. He...

Steve Jobs: Statue in the National Garden of American Heroes by Trump!

The American government decided to place a statue in honor of the co-founder and former CEO of Apple, Steve Jobs, in the National Park ...

Terminology 1.9: New Linux Terminal Emulator with more colors

Boris Faure announced a new version of Terminology 1.9 of the terminal emulator for Linux operating systems. For those who do not ...

Netflix has more than 200 million subscribers worldwide

As predicted by the company itself, Netflix exceeded 200 million subscribers, stating that at the moment 203,66 million ...

YouTube: Blocks Trump for another week

For at least one more week, former US President Donald Trump will not be able to publish content on his channel in ...

Months later, Jack Ma made his first public appearance

Jack Ma has just made his first public appearance in months. The co-founder of Alibaba (BABA) appeared today, in a ...

Google: Chrome 88 will be released with many improvements

Google has announced the new features that Chrome 88 will receive when it is released. It seems that it will have a tab search and ...

Interpol: Scammers approach their victims in dating applications!

Interpol issued a statement warning the world that many scammers are targeting users of dating applications and trying to deceive them to ...
00:02:05

AI: How the imitation of the human brain enhances its technology

https://www.youtube.com/watch?v=ATvc1tbYFi4 Η τεχνολογία AI έχει καταφέρει εντυπωσιακά πράγματα έως τώρα, όμως χρειάζεται μεγάλο όγκο δεδομένων προκειμένου να...

Malwarebytes: SolarWinds hacked by cyber attackers!

Malwarebytes said it had been hacked by the same hacking team that allegedly "hit" software company SolarWinds. However, he clarified that ...