
On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress.
This plugin is useful when users want to migrate and copy WordPress sites. With Duplicator, sysadmins can create a new copy of the site and the generated file can be downloaded from the WP dashboard.
WordPress Duplicator Plugin Zero-day Vulnerability
Exploiting the newly discovered zero-day vulnerability allows hackers to download arbitrary files from the target sites. More than 1 million WordPress websites are affected by this security flaw.
When users create a copy of a WP site and click on the download button, it’ll trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter.
„Unfortunately the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible. An attacker could access files outside of Duplicator’s intended directory by submitting values like ../../../file.php to navigate throughout the server’s file structure.” - WordFence
functionduplicator_init() {if(isset($_GET['action']) &&$_GET['action'] =='duplicator_download') {$file= sanitize_text_field($_GET['file']);$filepath= DUPLICATOR_SSDIR_PATH.'/'.$file;// Process downloadif(file_exists($filepath)) {// Clean output bufferif(ob_get_level() !== 0 && @ob_end_clean() === FALSE) {@ob_clean();}header('Content-Description: File Transfer');header('Content-Type: application/octet-stream');header('Content-Disposition: attachment; filename="'.basename($filepath).'"');header('Expires: 0');header('Cache-Control: must-revalidate');header('Pragma: public');header('Content-Length: '.filesize($filepath));flush();// Flush system output buffertry{$fp= @fopen($filepath,'r');if(false ===$fp) {thrownewException('Fail to open the file '.$filepath);}while(!feof($fp) && ($data=fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {echo$data;}@fclose($fp);}catch(Exception$e) {readfile($filepath);}exit;}else{wp_die('Invalid installer file name!!');}}}add_action('init','duplicator_init');
Source: WordFence
What are the signs of exploiting this vulnerability?
If you see the following query strings in a GET request, most probably you became a target for hackers:
- action=duplicator_download
- file=/../wp-config.php