On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress.
This plugin is useful when users want to migrate and copy WordPress sites. With Duplicator, sysadmins can create a new copy of the site and the generated file can be downloaded from the WP dashboard.
Exploiting the newly discovered zero-day vulnerability allows hackers to download arbitrary files from the target sites. More than 1 million WordPress websites are affected by this security flaw.
When users create a copy of a WP site and click on the download button, it’ll trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter.
„Unfortunately the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible. An attacker could access files outside of Duplicator’s intended directory by submitting values like ../../../file.php to navigate throughout the server’s file structure.” – WordFence
functionduplicator_init() {if(isset($_GET['action']) && $_GET['action'] == 'duplicator_download') {$file= sanitize_text_field($_GET['file']);$filepath= DUPLICATOR_SSDIR_PATH.'/'.$file;// Process downloadif(file_exists($filepath)) {// Clean output bufferif(ob_get_level() !== 0 && @ob_end_clean() === FALSE) {@ob_clean();} header('Content-Description: File Transfer');header('Content-Type: application/octet-stream');header('Content-Disposition: attachment; filename="'.basename($filepath).'"');header('Expires: 0');header('Cache-Control: must-revalidate');header('Pragma: public');header('Content-Length: '. filesize($filepath));flush(); // Flush system output buffer try{$fp= @fopen($filepath, 'r');if(false === $fp) {thrownewException('Fail to open the file '.$filepath);}while(!feof($fp) && ($data= fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {echo$data;}@fclose($fp);} catch(Exception $e) {readfile($filepath);}exit;} else{wp_die('Invalid installer file name!!');}}}add_action('init', 'duplicator_init');
function
duplicator_init() {
if
(isset(
$_GET
[
'action'
]) &&
] ==
'duplicator_download'
) {
$file
= sanitize_text_field(
'file'
]);
$filepath
= DUPLICATOR_SSDIR_PATH.
'/'
.
;
// Process download
(
file_exists
)) {
// Clean output buffer
(ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
@ob_clean();
}
header(
'Content-Description: File Transfer'
);
'Content-Type: application/octet-stream'
'Content-Disposition: attachment; filename="'
basename
).
'"'
'Expires: 0'
'Cache-Control: must-revalidate'
'Pragma: public'
'Content-Length: '
filesize
));
flush
();
// Flush system output buffer
try
{
$fp
= @
fopen
,
'r'
(false ===
throw
new
Exception(
'Fail to open the file '
while
(!
feof
) && (
$data
=
fread
, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
echo
@fclose(
catch
(Exception
$e
readfile(
exit
else
wp_die(
'Invalid installer file name!!'
add_action(
'init'
'duplicator_init'
Source: WordFence
If you see the following query strings in a GET request, most probably you became a target for hackers:
Hackers can easily exploit this critical vulnerability, so if you are using Duplicator on your WordPress site, you should take action right now!
Of course, updating the plugin is crucial, but BitNinja also provides protection server-wide. If BitNinja WAF is already running on your servers with the default settings, you are safe!
The Recommended ruleset contains the necessary WAF rule to patch the Duplicator vulnerability. However, if you want to ensure that hackers won’t be able to exploit this vulnerability, follow these steps:
The default pre-defined ruleset is the „Recommended”. You can read more about the WAF module and the rulesets in this article.
Rule is activated in the Recommended ruleset by default, so you don’t have to make any more steps. Still, you can make sure you are 100% safe by checking rule 930120 OS File Access.
The 930120 WAF rule will block those malicious requests, which calls the wp-config.php in GET requests.
Patch Duplicator vulnerability with BitNinja WAF
Do you need assistance with securing your servers? Contact us at [email protected] and we’ll gladly help you eliminate hackers and bots.
Stay safe!
Start the 7-day free trial with full functionality without spending a cent.
Yay! It’s update time! Our newest agent version is...
We have some interesting news coming: Let’s say goodbye...