{"id":1153,"date":"2020-02-21T18:37:52","date_gmt":"2020-02-21T13:07:52","guid":{"rendered":"https:\/\/www.hostnamaste.com\/blog\/?post_type=news&#038;p=1153"},"modified":"2020-02-21T18:40:02","modified_gmt":"2020-02-21T13:10:02","slug":"zero-day-wordpress-duplicator-plugin-vulnerability-affects-over-1-million-sites","status":"publish","type":"news","link":"https:\/\/www.hostnamaste.com\/blog\/news\/zero-day-wordpress-duplicator-plugin-vulnerability-affects-over-1-million-sites\/","title":{"rendered":"Zero-day WordPress Duplicator Plugin Vulnerability Affects Over 1 Million Sites"},"content":{"rendered":"<figure id=\"attachment_1156\" aria-describedby=\"caption-attachment-1156\" style=\"width: 758px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-1156\" src=\"https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/Zero-day-Wordpress-Duplicator-Plugin-Vulnerability-Affects-Over-1-Million-Sites-HostNamaste-1024x536.png\" alt=\"Zero-day WordPress Duplicator Plugin Vulnerability Affects Over 1 Million Sites - HostNamaste\" width=\"758\" height=\"397\" srcset=\"https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/Zero-day-Wordpress-Duplicator-Plugin-Vulnerability-Affects-Over-1-Million-Sites-HostNamaste-1024x536.png 1024w, https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/Zero-day-Wordpress-Duplicator-Plugin-Vulnerability-Affects-Over-1-Million-Sites-HostNamaste-300x157.png 300w, https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/Zero-day-Wordpress-Duplicator-Plugin-Vulnerability-Affects-Over-1-Million-Sites-HostNamaste-768x402.png 768w, https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/Zero-day-Wordpress-Duplicator-Plugin-Vulnerability-Affects-Over-1-Million-Sites-HostNamaste.png 1200w\" sizes=\"auto, (max-width: 758px) 100vw, 758px\" \/><figcaption id=\"caption-attachment-1156\" class=\"wp-caption-text\"><span style=\"font-size: 10pt; font-family: Verdana, Geneva; color: #99cc00;\">Zero-day WordPress Duplicator Plugin Vulnerability Affects Over 1 Million Sites &#8211; HostNamaste<\/span><\/figcaption><\/figure>\n<p><span style=\"font-family: Verdana, Geneva;\">On 19 February 2020, <a href=\"https:\/\/www.wordfence.com\/blog\/2020\/02\/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites\/\" target=\"_blank\" rel=\"noopener\">Wordfence<\/a> reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress. A critical security update was recently issued for\u00a0<a href=\"https:\/\/wordpress.org\/plugins\/duplicator\/\" target=\"_blank\" rel=\"noopener noreferrer\">Duplicator<\/a>, one of the most popular plugins in the WordPress ecosystem. Over a million WordPress sites were affected by a vulnerability allowing attackers to download arbitrary files from victim sites. We urge all Duplicator users to update to version 1.3.28 as soon as possible.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">We are detecting active exploitation of this vulnerability in the wild, and estimate more than half a million sites are still running a vulnerable version. Built-in firewall protection prevents these attacks for all Wordfence users, both Premium and those still on the free version of Wordfence. As always, it\u2019s still important to perform security updates regardless of other protections.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">In today\u2019s post, we\u2019ll take a brief look at the vulnerable code, discuss its severity, and share details of the ongoing attacks against it.<\/span><\/p>\n\n<blockquote>\n<h2><span style=\"font-family: Verdana, Geneva;\">File Download Vulnerability Analysis<\/span><\/h2>\n<\/blockquote>\n<p><span style=\"font-family: Verdana, Geneva;\">The Duplicator plugin helps site administrators migrate and copy WordPress sites. Part of this functionality involves exporting database and file content into portable archives. When an administrator creates a new copy of their site, Duplicator lets them download the generated files from their WordPress dashboard.<\/span><\/p>\n<figure id=\"attachment_1157\" aria-describedby=\"caption-attachment-1157\" style=\"width: 824px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1157\" src=\"https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/File-Download-Vulnerability-Analysis-HostNamaste.png\" alt=\"File Download Vulnerability Analysis - HostNamaste\" width=\"824\" height=\"411\" srcset=\"https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/File-Download-Vulnerability-Analysis-HostNamaste.png 824w, https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/File-Download-Vulnerability-Analysis-HostNamaste-300x150.png 300w, https:\/\/www.hostnamaste.com\/blog\/wp-content\/uploads\/2020\/02\/File-Download-Vulnerability-Analysis-HostNamaste-768x383.png 768w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><figcaption id=\"caption-attachment-1157\" class=\"wp-caption-text\"><span style=\"font-family: Verdana, Geneva; color: #99cc00; font-size: 12pt;\">File Download Vulnerability Analysis &#8211; HostNamaste<\/span><\/figcaption><\/figure>\n<p><span style=\"font-family: Verdana, Geneva;\">This was implemented as an AJAX request within Duplicator\u2019s admin interface. The download buttons each trigger a call to the WordPress AJAX handler with the action\u00a0<code>duplicator_download<\/code>\u00a0and a\u00a0<code>file<\/code>\u00a0parameter, indicating the location of the file to be downloaded. When clicked, the requested file is downloaded and the user doesn\u2019t need to leave or reload their current page.<\/span><\/p>\n<div>\n<div id=\"highlighter_73137\" class=\"syntaxhighlighter php\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number85 index0 alt2\"><span style=\"font-family: Verdana, Geneva;\">85<\/span><\/div>\n<div class=\"line number86 index1 alt1\"><span style=\"font-family: Verdana, Geneva;\">86<\/span><\/div>\n<div class=\"line number87 index2 alt2\"><span style=\"font-family: Verdana, Geneva;\">87<\/span><\/div>\n<div class=\"line number88 index3 alt1\"><span style=\"font-family: Verdana, Geneva;\">88<\/span><\/div>\n<div class=\"line number89 index4 alt2\"><span style=\"font-family: Verdana, Geneva;\">89<\/span><\/div>\n<div class=\"line number90 index5 alt1\"><span style=\"font-family: Verdana, Geneva;\">90<\/span><\/div>\n<div class=\"line number91 index6 alt2\"><span style=\"font-family: Verdana, Geneva;\">91<\/span><\/div>\n<div class=\"line number92 index7 alt1\"><span style=\"font-family: Verdana, Geneva;\">92<\/span><\/div>\n<div class=\"line number93 index8 alt2\"><span style=\"font-family: Verdana, Geneva;\">93<\/span><\/div>\n<div class=\"line number94 index9 alt1\"><span style=\"font-family: Verdana, Geneva;\">94<\/span><\/div>\n<div class=\"line number95 index10 alt2\"><span style=\"font-family: Verdana, Geneva;\">95<\/span><\/div>\n<div class=\"line number96 index11 alt1\"><span style=\"font-family: Verdana, Geneva;\">96<\/span><\/div>\n<div class=\"line number97 index12 alt2\"><span style=\"font-family: Verdana, Geneva;\">97<\/span><\/div>\n<div class=\"line number98 index13 alt1\"><span style=\"font-family: Verdana, Geneva;\">98<\/span><\/div>\n<div class=\"line number99 index14 alt2\"><span style=\"font-family: Verdana, Geneva;\">99<\/span><\/div>\n<div class=\"line number100 index15 alt1\"><span style=\"font-family: Verdana, Geneva;\">100<\/span><\/div>\n<div class=\"line number101 index16 alt2\"><span style=\"font-family: Verdana, Geneva;\">101<\/span><\/div>\n<div class=\"line number102 index17 alt1\"><span style=\"font-family: Verdana, Geneva;\">102<\/span><\/div>\n<div class=\"line number103 index18 alt2\"><span style=\"font-family: Verdana, Geneva;\">103<\/span><\/div>\n<div class=\"line number104 index19 alt1\"><span style=\"font-family: Verdana, Geneva;\">104<\/span><\/div>\n<div class=\"line number105 index20 alt2\"><span style=\"font-family: Verdana, Geneva;\">105<\/span><\/div>\n<div class=\"line number106 index21 alt1\"><span style=\"font-family: Verdana, Geneva;\">106<\/span><\/div>\n<div class=\"line number107 index22 alt2\"><span style=\"font-family: Verdana, Geneva;\">107<\/span><\/div>\n<div class=\"line number108 index23 alt1\"><span style=\"font-family: Verdana, Geneva;\">108<\/span><\/div>\n<div class=\"line number109 index24 alt2\"><span style=\"font-family: Verdana, Geneva;\">109<\/span><\/div>\n<div class=\"line number110 index25 alt1\"><span style=\"font-family: Verdana, Geneva;\">110<\/span><\/div>\n<div class=\"line number111 index26 alt2\"><span style=\"font-family: Verdana, Geneva;\">111<\/span><\/div>\n<div class=\"line number112 index27 alt1\"><span style=\"font-family: Verdana, Geneva;\">112<\/span><\/div>\n<div class=\"line number113 index28 alt2\"><span style=\"font-family: Verdana, Geneva;\">113<\/span><\/div>\n<div class=\"line number114 index29 alt1\"><span style=\"font-family: Verdana, Geneva;\">114<\/span><\/div>\n<div class=\"line number115 index30 alt2\"><span style=\"font-family: Verdana, Geneva;\">115<\/span><\/div>\n<div class=\"line number116 index31 alt1\"><span style=\"font-family: Verdana, Geneva;\">116<\/span><\/div>\n<div class=\"line number117 index32 alt2\"><span style=\"font-family: Verdana, Geneva;\">117<\/span><\/div>\n<div class=\"line number118 index33 alt1\"><span style=\"font-family: Verdana, Geneva;\">118<\/span><\/div>\n<div class=\"line number119 index34 alt2\"><span style=\"font-family: Verdana, Geneva;\">119<\/span><\/div>\n<div class=\"line number120 index35 alt1\"><span style=\"font-family: Verdana, Geneva;\">120<\/span><\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number85 index0 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php keyword\">public<\/code> <code class=\"php keyword\">static<\/code> <code class=\"php keyword\">function<\/code> <code class=\"php plain\">duplicator_download() {<\/code><\/span><\/div>\n<div class=\"line number86 index1 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php variable\">$file<\/code> <code class=\"php plain\">= sanitize_text_field(<\/code><code class=\"php variable\">$_GET<\/code><code class=\"php plain\">[<\/code><code class=\"php string\">'file'<\/code><code class=\"php plain\">]);<\/code><\/span><\/div>\n<div class=\"line number87 index2 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php variable\">$filepath<\/code> <code class=\"php plain\">= DUPLICATOR_SSDIR_PATH.<\/code><code class=\"php string\">'\/'<\/code><code class=\"php plain\">.<\/code><code class=\"php variable\">$file<\/code><code class=\"php plain\">;<\/code><\/span><\/div>\n<div class=\"line number88 index3 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php comments\">\/\/ Process download<\/code><\/span><\/div>\n<div class=\"line number89 index4 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">if<\/code><code class=\"php plain\">(<\/code><code class=\"php functions\">file_exists<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">)) {<\/code><\/span><\/div>\n<div class=\"line number90 index5 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php comments\">\/\/ Clean output buffer<\/code><\/span><\/div>\n<div class=\"line number91 index6 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">if<\/code> <code class=\"php plain\">(ob_get_level() !== 0 &amp;&amp; @ob_end_clean() === FALSE) {<\/code><\/span><\/div>\n<div class=\"line number92 index7 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">@ob_clean();<\/code><\/span><\/div>\n<div class=\"line number93 index8 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number94 index9 alt1\"><\/div>\n<div class=\"line number95 index10 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Description: File Transfer'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number96 index11 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Type: application\/octet-stream'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number97 index12 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Disposition: attachment; filename=\"'<\/code><code class=\"php plain\">.<\/code><code class=\"php functions\">basename<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">).<\/code><code class=\"php string\">'\"'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number98 index13 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Expires: 0'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number99 index14 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Cache-Control: must-revalidate'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number100 index15 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Pragma: public'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number101 index16 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Length: '<\/code> <code class=\"php plain\">. <\/code><code class=\"php functions\">filesize<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">));<\/code><\/span><\/div>\n<div class=\"line number102 index17 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php functions\">flush<\/code><code class=\"php plain\">(); <\/code><code class=\"php comments\">\/\/ Flush system output buffer<\/code><\/span><\/div>\n<div class=\"line number103 index18 alt2\"><\/div>\n<div class=\"line number104 index19 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">try<\/code> <code class=\"php plain\">{<\/code><\/span><\/div>\n<div class=\"line number105 index20 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php variable\">$fp<\/code> <code class=\"php plain\">= @<\/code><code class=\"php functions\">fopen<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">, <\/code><code class=\"php string\">'r'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number106 index21 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">if<\/code> <code class=\"php plain\">(false === <\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">) {<\/code><\/span><\/div>\n<div class=\"line number107 index22 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">throw<\/code> <code class=\"php keyword\">new<\/code> <code class=\"php plain\">Exception(<\/code><code class=\"php string\">'Fail to open the file '<\/code><code class=\"php plain\">.<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number108 index23 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number109 index24 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">while<\/code> <code class=\"php plain\">(!<\/code><code class=\"php functions\">feof<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">) &amp;&amp; (<\/code><code class=\"php variable\">$data<\/code> <code class=\"php plain\">= <\/code><code class=\"php functions\">fread<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {<\/code><\/span><\/div>\n<div class=\"line number110 index25 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php functions\">echo<\/code> <code class=\"php variable\">$data<\/code><code class=\"php plain\">;<\/code><\/span><\/div>\n<div class=\"line number111 index26 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number112 index27 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">@fclose(<\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number113 index28 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">} <\/code><code class=\"php keyword\">catch<\/code> <code class=\"php plain\">(Exception <\/code><code class=\"php variable\">$e<\/code><code class=\"php plain\">) {<\/code><\/span><\/div>\n<div class=\"line number114 index29 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">readfile(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number115 index30 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number116 index31 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php functions\">exit<\/code><code class=\"php plain\">;<\/code><\/span><\/div>\n<div class=\"line number117 index32 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">} <\/code><code class=\"php keyword\">else<\/code> <code class=\"php plain\">{<\/code><\/span><\/div>\n<div class=\"line number118 index33 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">wp_die(<\/code><code class=\"php string\">'Invalid installer file name!!'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number119 index34 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number120 index35 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><span style=\"font-family: Verdana, Geneva;\">Unfortunately the\u00a0<code>duplicator_download<\/code>\u00a0action was registered via\u00a0<code>wp_ajax_nopriv_<\/code>\u00a0and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The\u00a0<code>file<\/code>\u00a0parameter is passed through\u00a0<code>sanitize_text_field<\/code>\u00a0and appended to the plugin constant\u00a0<code>DUPLICATOR_SSDIR_PATH<\/code>, but directory traversal was still possible. An attacker could access files outside of Duplicator\u2019s intended directory by submitting values like\u00a0<code>..\/..\/..\/file.php<\/code>\u00a0to navigate throughout the server\u2019s file structure.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">In addition to the AJAX action, the same vulnerability existed in Duplicator\u2019s\u00a0<code>duplicator_init()<\/code>\u00a0function, which is called by WordPress\u2019s\u00a0<code>init<\/code>\u00a0hook.<\/span><\/p>\n<div>\n<div id=\"highlighter_550979\" class=\"syntaxhighlighter php\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number154 index0 alt1\"><span style=\"font-family: Verdana, Geneva;\">154<\/span><\/div>\n<div class=\"line number155 index1 alt2\"><span style=\"font-family: Verdana, Geneva;\">155<\/span><\/div>\n<div class=\"line number156 index2 alt1\"><span style=\"font-family: Verdana, Geneva;\">156<\/span><\/div>\n<div class=\"line number157 index3 alt2\"><span style=\"font-family: Verdana, Geneva;\">157<\/span><\/div>\n<div class=\"line number158 index4 alt1\"><span style=\"font-family: Verdana, Geneva;\">158<\/span><\/div>\n<div class=\"line number159 index5 alt2\"><span style=\"font-family: Verdana, Geneva;\">159<\/span><\/div>\n<div class=\"line number160 index6 alt1\"><span style=\"font-family: Verdana, Geneva;\">160<\/span><\/div>\n<div class=\"line number161 index7 alt2\"><span style=\"font-family: Verdana, Geneva;\">161<\/span><\/div>\n<div class=\"line number162 index8 alt1\"><span style=\"font-family: Verdana, Geneva;\">162<\/span><\/div>\n<div class=\"line number163 index9 alt2\"><span style=\"font-family: Verdana, Geneva;\">163<\/span><\/div>\n<div class=\"line number164 index10 alt1\"><span style=\"font-family: Verdana, Geneva;\">164<\/span><\/div>\n<div class=\"line number165 index11 alt2\"><span style=\"font-family: Verdana, Geneva;\">165<\/span><\/div>\n<div class=\"line number166 index12 alt1\"><span style=\"font-family: Verdana, Geneva;\">166<\/span><\/div>\n<div class=\"line number167 index13 alt2\"><span style=\"font-family: Verdana, Geneva;\">167<\/span><\/div>\n<div class=\"line number168 index14 alt1\"><span style=\"font-family: Verdana, Geneva;\">168<\/span><\/div>\n<div class=\"line number169 index15 alt2\"><span style=\"font-family: Verdana, Geneva;\">169<\/span><\/div>\n<div class=\"line number170 index16 alt1\"><span style=\"font-family: Verdana, Geneva;\">170<\/span><\/div>\n<div class=\"line number171 index17 alt2\"><span style=\"font-family: Verdana, Geneva;\">171<\/span><\/div>\n<div class=\"line number172 index18 alt1\"><span style=\"font-family: Verdana, Geneva;\">172<\/span><\/div>\n<div class=\"line number173 index19 alt2\"><span style=\"font-family: Verdana, Geneva;\">173<\/span><\/div>\n<div class=\"line number174 index20 alt1\"><span style=\"font-family: Verdana, Geneva;\">174<\/span><\/div>\n<div class=\"line number175 index21 alt2\"><span style=\"font-family: Verdana, Geneva;\">175<\/span><\/div>\n<div class=\"line number176 index22 alt1\"><span style=\"font-family: Verdana, Geneva;\">176<\/span><\/div>\n<div class=\"line number177 index23 alt2\"><span style=\"font-family: Verdana, Geneva;\">177<\/span><\/div>\n<div class=\"line number178 index24 alt1\"><span style=\"font-family: Verdana, Geneva;\">178<\/span><\/div>\n<div class=\"line number179 index25 alt2\"><span style=\"font-family: Verdana, Geneva;\">179<\/span><\/div>\n<div class=\"line number180 index26 alt1\"><span style=\"font-family: Verdana, Geneva;\">180<\/span><\/div>\n<div class=\"line number181 index27 alt2\"><span style=\"font-family: Verdana, Geneva;\">181<\/span><\/div>\n<div class=\"line number182 index28 alt1\"><span style=\"font-family: Verdana, Geneva;\">182<\/span><\/div>\n<div class=\"line number183 index29 alt2\"><span style=\"font-family: Verdana, Geneva;\">183<\/span><\/div>\n<div class=\"line number184 index30 alt1\"><span style=\"font-family: Verdana, Geneva;\">184<\/span><\/div>\n<div class=\"line number185 index31 alt2\"><span style=\"font-family: Verdana, Geneva;\">185<\/span><\/div>\n<div class=\"line number186 index32 alt1\"><span style=\"font-family: Verdana, Geneva;\">186<\/span><\/div>\n<div class=\"line number187 index33 alt2\"><span style=\"font-family: Verdana, Geneva;\">187<\/span><\/div>\n<div class=\"line number188 index34 alt1\"><span style=\"font-family: Verdana, Geneva;\">188<\/span><\/div>\n<div class=\"line number189 index35 alt2\"><span style=\"font-family: Verdana, Geneva;\">189<\/span><\/div>\n<div class=\"line number190 index36 alt1\"><span style=\"font-family: Verdana, Geneva;\">190<\/span><\/div>\n<div class=\"line number191 index37 alt2\"><span style=\"font-family: Verdana, Geneva;\">191<\/span><\/div>\n<div class=\"line number192 index38 alt1\"><span style=\"font-family: Verdana, Geneva;\">192<\/span><\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number154 index0 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php keyword\">function<\/code> <code class=\"php plain\">duplicator_init() {<\/code><\/span><\/div>\n<div class=\"line number155 index1 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">if<\/code> <code class=\"php plain\">(isset(<\/code><code class=\"php variable\">$_GET<\/code><code class=\"php plain\">[<\/code><code class=\"php string\">'action'<\/code><code class=\"php plain\">]) &amp;&amp; <\/code><code class=\"php variable\">$_GET<\/code><code class=\"php plain\">[<\/code><code class=\"php string\">'action'<\/code><code class=\"php plain\">] == <\/code><code class=\"php string\">'duplicator_download'<\/code><code class=\"php plain\">) {<\/code><\/span><\/div>\n<div class=\"line number156 index2 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php variable\">$file<\/code> <code class=\"php plain\">= sanitize_text_field(<\/code><code class=\"php variable\">$_GET<\/code><code class=\"php plain\">[<\/code><code class=\"php string\">'file'<\/code><code class=\"php plain\">]);<\/code><\/span><\/div>\n<div class=\"line number157 index3 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php variable\">$filepath<\/code> <code class=\"php plain\">= DUPLICATOR_SSDIR_PATH.<\/code><code class=\"php string\">'\/'<\/code><code class=\"php plain\">.<\/code><code class=\"php variable\">$file<\/code><code class=\"php plain\">;<\/code><\/span><\/div>\n<div class=\"line number158 index4 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php comments\">\/\/ Process download<\/code><\/span><\/div>\n<div class=\"line number159 index5 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">if<\/code><code class=\"php plain\">(<\/code><code class=\"php functions\">file_exists<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">)) {<\/code><\/span><\/div>\n<div class=\"line number160 index6 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php comments\">\/\/ Clean output buffer<\/code><\/span><\/div>\n<div class=\"line number161 index7 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">if<\/code> <code class=\"php plain\">(ob_get_level() !== 0 &amp;&amp; @ob_end_clean() === FALSE) {<\/code><\/span><\/div>\n<div class=\"line number162 index8 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">@ob_clean();<\/code><\/span><\/div>\n<div class=\"line number163 index9 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number164 index10 alt1\"><\/div>\n<div class=\"line number165 index11 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Description: File Transfer'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number166 index12 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Type: application\/octet-stream'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number167 index13 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Disposition: attachment; filename=\"'<\/code><code class=\"php plain\">.<\/code><code class=\"php functions\">basename<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">).<\/code><code class=\"php string\">'\"'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number168 index14 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Expires: 0'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number169 index15 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Cache-Control: must-revalidate'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number170 index16 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Pragma: public'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number171 index17 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">header(<\/code><code class=\"php string\">'Content-Length: '<\/code> <code class=\"php plain\">. <\/code><code class=\"php functions\">filesize<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">));<\/code><\/span><\/div>\n<div class=\"line number172 index18 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php functions\">flush<\/code><code class=\"php plain\">(); <\/code><code class=\"php comments\">\/\/ Flush system output buffer<\/code><\/span><\/div>\n<div class=\"line number173 index19 alt2\"><\/div>\n<div class=\"line number174 index20 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">try<\/code> <code class=\"php plain\">{<\/code><\/span><\/div>\n<div class=\"line number175 index21 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php variable\">$fp<\/code> <code class=\"php plain\">= @<\/code><code class=\"php functions\">fopen<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">, <\/code><code class=\"php string\">'r'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number176 index22 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">if<\/code> <code class=\"php plain\">(false === <\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">) {<\/code><\/span><\/div>\n<div class=\"line number177 index23 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">throw<\/code> <code class=\"php keyword\">new<\/code> <code class=\"php plain\">Exception(<\/code><code class=\"php string\">'Fail to open the file '<\/code><code class=\"php plain\">.<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number178 index24 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number179 index25 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php keyword\">while<\/code> <code class=\"php plain\">(!<\/code><code class=\"php functions\">feof<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">) &amp;&amp; (<\/code><code class=\"php variable\">$data<\/code> <code class=\"php plain\">= <\/code><code class=\"php functions\">fread<\/code><code class=\"php plain\">(<\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {<\/code><\/span><\/div>\n<div class=\"line number180 index26 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php functions\">echo<\/code> <code class=\"php variable\">$data<\/code><code class=\"php plain\">;<\/code><\/span><\/div>\n<div class=\"line number181 index27 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number182 index28 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">@fclose(<\/code><code class=\"php variable\">$fp<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number183 index29 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">} <\/code><code class=\"php keyword\">catch<\/code> <code class=\"php plain\">(Exception <\/code><code class=\"php variable\">$e<\/code><code class=\"php plain\">) {<\/code><\/span><\/div>\n<div class=\"line number184 index30 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">readfile(<\/code><code class=\"php variable\">$filepath<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number185 index31 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number186 index32 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php functions\">exit<\/code><code class=\"php plain\">;<\/code><\/span><\/div>\n<div class=\"line number187 index33 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">} <\/code><code class=\"php keyword\">else<\/code> <code class=\"php plain\">{<\/code><\/span><\/div>\n<div class=\"line number188 index34 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">wp_die(<\/code><code class=\"php string\">'Invalid installer file name!!'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<div class=\"line number189 index35 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number190 index36 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php spaces\">\u00a0\u00a0\u00a0\u00a0<\/code><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number191 index37 alt2\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php plain\">}<\/code><\/span><\/div>\n<div class=\"line number192 index38 alt1\"><span style=\"font-family: Verdana, Geneva;\"><code class=\"php plain\">add_action(<\/code><code class=\"php string\">'init'<\/code><code class=\"php plain\">, <\/code><code class=\"php string\">'duplicator_init'<\/code><code class=\"php plain\">);<\/code><\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><span style=\"font-family: Verdana, Geneva;\">Because it was hooked into\u00a0<code>init<\/code>, this function was executed on every WordPress page load for logged-in users and unauthenticated visitors alike. This means an attacker could trigger a file download by adding query strings to any path on a vulnerable site, bypassing AJAX-specific monitoring.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">Both of these vulnerable cases have been patched as of Duplicator 1.3.28. The AJAX action has been updated to properly validate filenames, and now requires a matching ID and hash to allow the file download. The\u00a0<code>duplicator_init()<\/code>\u00a0function has been removed entirely.<\/span><\/p>\n<blockquote>\n<h2><span style=\"font-family: Verdana, Geneva;\">Attackers Stealing Database Credentials<\/span><\/h2>\n<\/blockquote>\n<p><span style=\"font-family: Verdana, Geneva;\">Arbitrary file download vulnerabilities can be a critical issue regardless of the vulnerable site\u2019s platform, but such attacks against WordPress sites largely target one file:\u00a0<code>wp-config.php<\/code>.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">Depending on the site,\u00a0<code>wp-config.php<\/code>\u00a0can contain any amount of custom code, but attackers target it to access a site\u2019s database credentials. With these credentials, an attacker can directly access the victim site\u2019s database if it allows remote connections. This access can be used by an attacker to create their own Administrator account and further compromise the site, or simply to inject content or harvest data.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">Sites with local databases still have cause for concern, however. On shared hosting environments, it\u2019s possible for one user on a shared server to access the local database of another site on the same server. This certainly limits the attack surface of the vulnerable site, but is still a severe issue.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">At the time of this writing, Wordfence has blocked more than 60,000 attempts to download\u00a0<code>wp-config.php<\/code>\u00a0files with this vulnerability. About 50,000 of these events took place before Duplicator patched the flaw, making this a zero-day vulnerability.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">Nearly all of these attacks were issued from the same IP address:\u00a0<code>77.71.115.52<\/code>. This IP points to a webserver located in Bulgaria, owned by Varna Data Center EOOD. A handful of websites are hosted on this server, suggesting the attacker could be proxying their attacks through a compromised website. We have associated this IP address with other malicious activity against WordPress recently, and research into its activity is ongoing.<\/span><\/p>\n<blockquote>\n<h2><span style=\"font-family: Verdana, Geneva;\">Indicators Of Compromise (IOCs)<\/span><\/h2>\n<\/blockquote>\n<p><span style=\"font-family: Verdana, Geneva;\">The following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: Verdana, Geneva;\">Traffic logged from the threat actor\u2019s IP address should be considered suspicious:<\/span>\n<ul>\n<li><span style=\"font-family: Verdana, Geneva;\"><code>77.71.115.52<\/code><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: Verdana, Geneva;\">Attacks in this campaign are issued via GET requests with the following query strings:<\/span>\n<ul>\n<li><span style=\"font-family: Verdana, Geneva;\"><code>action=duplicator_download<\/code><\/span><\/li>\n<li><span style=\"font-family: Verdana, Geneva;\"><code>file=\/..\/wp-config.php<\/code><\/span><\/li>\n<li><span style=\"font-family: Verdana, Geneva;\"><strong>Note:<\/strong>\u00a0Because this vulnerability can be exploited via WP AJAX, it\u2019s possible to exploit via POST request. In this case, it\u2019s possible for the\u00a0<code>action<\/code>\u00a0parameter to be passed in the POST body instead of the query string. This will prevent the\u00a0<code>action=duplicator_download<\/code>\u00a0string from appearing in HTTP logs. The\u00a0<code>file<\/code>\u00a0parameter\u00a0<strong>must<\/strong>\u00a0be passed as a query string, however, and is a reliable indicator.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<blockquote>\n<h2><span style=\"font-family: Verdana, Geneva;\">Timeline<\/span><\/h2>\n<\/blockquote>\n<ul>\n<li><span style=\"font-family: Verdana, Geneva;\"><strong>February 10th, 2020<\/strong>\u00a0\u2013 First attacks against Duplicator vulnerability. Wordfence users already safe due to built-in firewall protection.<\/span><\/li>\n<li><span style=\"font-family: Verdana, Geneva;\"><strong>February 12th, 2020<\/strong>\u00a0\u2013 Duplicator releases version 1.3.28 to patch the flaw.<\/span><\/li>\n<\/ul>\n<h2><\/h2>\n<blockquote>\n<h2><span style=\"font-family: Verdana, Geneva;\">Conclusion<\/span><\/h2>\n<\/blockquote>\n<p><span style=\"font-family: Verdana, Geneva;\">Duplicator\u2019s massive install base, combined with the ease of exploiting this vulnerability, makes this flaw a noteworthy target for hackers. It\u2019s crucial that Duplicator\u2019s users update their plugins to the latest available version as soon as possible to remove this risk. All Wordfence users are protected from these attacks, but don\u2019t forget to update despite this. Also, due to the nature of Duplicator\u2019s functionality, it\u2019s likely that it\u2019s no longer required on your site. If you have no intent of using it to migrate or clone your site in the immediate future, you can delete the plugin without worry. It can always be reinstalled later if needed.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">If you believe your site was attacked via this vulnerability, it\u2019s critical that you change your database credentials and WordPress salts immediately. If you\u2019re concerned that an attacker may have gained unauthorized access to your site, consider having our expert analysts perform a\u00a0<a href=\"https:\/\/www.wordfence.com\/site-security-audit\/?promo_id=blog20200219&amp;promo_name=get-site-cleaning&amp;promo_creative=txt&amp;promo_position=conclusion\" target=\"_blank\" rel=\"noopener\">Site Security Audit<\/a>\u00a0to ensure your <a href=\"https:\/\/www.hostnamaste.com\/blog\/news\/sectigo-releases-new-cloud-based-web-security-platform\/\">security<\/a> is intact.<\/span><\/p>\n<blockquote>\n<h2><span style=\"font-family: Verdana, Geneva;\">Update: Duplicator Pro Was Also Affected<\/span><\/h2>\n<\/blockquote>\n<div><span style=\"font-family: Verdana, Geneva;\"><strong>Description:<\/strong>\u00a0Unauthenticated Arbitrary File Download<\/span><br \/>\n<span style=\"font-family: Verdana, Geneva;\"><strong>Affected Plugin:<\/strong>\u00a0Duplicator Pro<\/span><br \/>\n<span style=\"font-family: Verdana, Geneva;\"><strong>Affected Versions:<\/strong>\u00a0&lt;= 3.8.7<\/span><br \/>\n<span style=\"font-family: Verdana, Geneva;\"><strong>CVSS Score:<\/strong>\u00a07.5 (High)<\/span><br \/>\n<span style=\"font-family: Verdana, Geneva;\"><strong>CVSS Vector:<\/strong>\u00a0<a href=\"https:\/\/www.first.org\/cvss\/calculator\/3.0#CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N\" target=\"_blank\" rel=\"noopener noreferrer\">CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N<\/a><\/span><br \/>\n<span style=\"font-family: Verdana, Geneva;\"><strong>Patched Version:<\/strong>\u00a03.8.7.1<\/span><\/div>\n<p><span style=\"font-family: Verdana, Geneva;\">The commercial version of the plugin, Duplicator Pro, was also affected by this vulnerability.\u00a0<a href=\"https:\/\/snapcreek.com\/duplicator\/docs\/changelog\/?pro\" target=\"_blank\" rel=\"noopener\">The Pro version\u2019s changelog<\/a>\u00a0included a nonspecific <a href=\"https:\/\/www.hostnamaste.com\/blog\/news\/top-10-security-trends-to-watch-out-for-in-2020-juniper-networks\/\">security<\/a> notice, and we\u2019ve confirmed it corresponds to the same file download vulnerability in the Free version.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">Our estimates indicate about 170,000 WordPress sites are running Duplicator Pro. About 150,000 of these sites have not been patched to the latest version, 3.8.7.1.<\/span><\/p>\n<p><span style=\"font-family: Verdana, Geneva;\">Wordfence users with Duplicator Pro are safe, with the same built-in protection that blocked attacks against the free version. At this time, we have not detected any attacks against Duplicator Pro.\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress. A critical security update was recently issued&hellip;<\/p>\n","protected":false},"author":2,"featured_media":1156,"comment_status":"open","ping_status":"closed","template":"","tags":[1413,1410,1414,1415,1412,1409,1411,1401],"news-category":[1400,1406,1403,1407,1408,1405,1402,1404],"class_list":["post-1153","news","type-news","status-publish","has-post-thumbnail","hentry","tag-attackers-stealing-database-credentials","tag-duplicator-plugin-vulnerability","tag-indicators-of-compromise-iocs","tag-update-duplicator-pro-was-also-affected","tag-wordfence","tag-wordpress-duplicator-plugin-vulnerability","tag-zero-day","tag-zero-day-wordpress-duplicator-plugin-vulnerability-affects-over-1-million-sites","news-category-zero-day-wordpress-duplicator-plugin-vulnerability-affects-over-1-million-sites","news-category-attackers-stealing-database-credentials","news-category-duplicator-plugin-vulnerability","news-category-indicators-of-compromise-iocs","news-category-update-duplicator-pro-was-also-affected","news-category-wordfence","news-category-wordpress-duplicator-plugin-vulnerability","news-category-zero-day"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/news\/1153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/news"}],"about":[{"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/types\/news"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/comments?post=1153"}],"version-history":[{"count":1,"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/news\/1153\/revisions"}],"predecessor-version":[{"id":1158,"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/news\/1153\/revisions\/1158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/media\/1156"}],"wp:attachment":[{"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/media?parent=1153"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/tags?post=1153"},{"taxonomy":"news-category","embeddable":true,"href":"https:\/\/www.hostnamaste.com\/blog\/wp-json\/wp\/v2\/news-category?post=1153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}