HomesecurityDuplicator WordPress Plugin: Error Endangers 1 Million Websites!

Duplicator WordPress Plugin: Error Endangers 1 Million Websites!

Duplicator WordPress Plugin: Error Compromising 1 Million Websites: Detecting vulnerable WordPress plugins seems to have stopped lately.

New research has revealed that the Duplicator WordPress plugin is an active one exploit. Duplicator is a plugin that makes it easy for webmasters to migrate WordPress web pages. It also allows administrators to download files created after admins create a new copy of the site.

At this point, an arbitrary download is detected malicious files.

How does this happen?

The download buttons result in a call to the WordPress AJAX handler with duplicator_download and a file parameter indicating the location of the file to be downloaded. When you click the button, the required file is downloaded and the user does not need to leave or reload his current page. Unfortunately, the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unverified users.

public static function duplicator_download () {$ file = sanitize_text_field ($ _ GET ['file']); $ filepath = DUPLICATOR_SSDIR_PATH. '/'. $ file; // Process download if (file_exists ($ filepath)) {// Clean output buffer if (ob_get_level ()! == 0 && @ob_end_clean () === FALSE) {@ob_clean (); } header ('Content-Description: File Transfer'); header ('Content-Type: application / octet-stream'); header ('Content-Disposition: attachment; filename = "'. basename ($ filepath). '"'); header ('Expires: 0'); header ('Cache-Control: must-revalidate'); header ('Pragma: public'); header ('Content-Length:'. filesize ($ filepath)); flush (); // Flush system output buffer try {$ fp = @fopen ($ filepath, 'r'); if (false === $ fp) {throw new Exception ('Fail to open the file'. $ filepath); } while (! feof ($ fp) && ($ data = fread ($ fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE))! == FALSE) {echo $ data; } @fclose ($ fp); } catch (Exception $ e) {readfile ($ filepath); } exit; } else {wp_die ('Invalid installer file name !!'); }

 

There are no restrictions on downloaded file paths. This has made it possible for an attacker to access files in different directories by submitting values ​​like ../../../file.php. The file parameter passes through sanitize_text_field and is appended to the DUPLICATOR_SSDIR_PATH constant of the plugin, but the directory transition was still possible.

function duplicator_init () {if (isset ($ _ GET ['action']) && $ _GET ['action'] == 'duplicator_download') {$ file = sanitize_text_field ($ _ GET ['file']); $ filepath = DUPLICATOR_SSDIR_PATH. '/'. $ file; // Process download if (file_exists ($ filepath)) {// Clean output buffer if (ob_get_level ()! == 0 && @ob_end_clean () === FALSE) {@ob_clean (); } header ('Content-Description: File Transfer'); header ('Content-Type: application / octet-stream'); header ('Content-Disposition: attachment; filename = "'. basename ($ filepath). '"'); header ('Expires: 0'); header ('Cache-Control: must-revalidate'); header ('Pragma: public'); header ('Content-Length:'. filesize ($ filepath)); flush (); // Flush system output buffer try {$ fp = @fopen ($ filepath, 'r'); if (false === $ fp) {throw new Exception ('Fail to open the file'. $ filepath); } while (! feof ($ fp) && ($ data = fread ($ fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE))! == FALSE) {echo $ data; } @fclose ($ fp); } catch (Exception $ e) {readfile ($ filepath); } exit; } else {wp_die ('Invalid installer file name !!'); }}} add_action ('init', 'duplicator_init');

 

The exploitation of this error allowed hackers access the credentials of the database of the targeted site. Later, the intruders could potentially access the database through these credentials.

WordPress Duplicator

The following Indicators of Compromise can be used to determine if your site has been compromised.

  • The traffic recorded by that IP address is considered suspicious:

77.71.115.52

  • The attacks in this campaign are issued via GET requests with the following query strings:
action = duplicator_download file = / .. / wp-config.php

 

Note: Because this vulnerability can be exploited through WP AJAX, it can be exploited via POST request. In this case, it is possible for the action parameter to be passed to the POST body instead of the query string. This will prevent the action = duplicator_download string from appearing in the HTTP logs. However, the file parameter must be passed as a query string and is a reliable index.

WordPress Duplicator

So make sure you complete the necessary updates to your WordPress website to stay safe. According to the researchers, the vulnerability affected versions of the Duplicator plugin until 1.3.28.

After her discovery vulnerability, developers who patched the error with plugin version 1.3.28 were updated. Despite the bug fix, about half a million sites have not updated plugin versions. Therefore, they remain exposed to attacks related to exploitation of this defect.

Update instantly so your website doesn't get hacked!

LIVE NEWS