Directory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for Wordpress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Critical vulnerability exists in the DB Backup plugin for WordPress, allowing attackers to read arbitrary files on the server. This directory traversal flaw can lead to the disclosure of sensitive information, including database credentials and configuration files, potentially enabling a full system compromise.
Step 1: Vulnerability Identification: The attacker identifies a WordPress installation using the vulnerable DB Backup plugin (version 4.5 or earlier).
Step 2: Payload Delivery: The attacker crafts a malicious URL that includes the download.php script and a crafted file parameter. The file parameter contains a directory traversal payload, such as ../../../../etc/passwd to attempt to read the /etc/passwd file.
Step 3: Request Submission: The attacker sends the crafted URL to the vulnerable WordPress installation.
Step 4: Server-Side Processing: The download.php script receives the request and attempts to download the file specified in the file parameter.
Step 5: Path Traversal: Due to the lack of proper input validation, the ../ sequences in the file parameter are not neutralized. The server interprets the path, navigating up the directory structure.
Step 6: File Retrieval: The server attempts to open and serve the file specified by the manipulated path (e.g., /etc/passwd).
Step 7: Information Disclosure: The contents of the requested file (e.g., /etc/passwd) are returned to the attacker, revealing sensitive information.
The vulnerability stems from insufficient input validation in the download.php script of the DB Backup plugin. Specifically, the script fails to properly sanitize the file parameter, which is used to specify the file to be downloaded. By crafting a malicious URL containing a sequence of ../ (dot-dot-slash) characters, an attacker can traverse the directory structure and access files outside of the intended backup directory. The lack of proper path normalization and file path validation allows the attacker to specify any file on the server, leading to information disclosure.