WordPress Database Backup: Directory Traversal Vulnerability

Vipe ol’ buddy…. those admin rights are just not very “safe” these days….

Heh, a valid point. ??

that someone me vkaryl? I’m ok with that. just goes to show ya some people just get off being mean-spirited I guess, but I digress. Like being an unpaid volunteer is an excuse for being a bitch? Ok then…

Thing is, people don’t really know what not to do. And telling them to make a folder world-writeable simply to make a database dump is sheer stupidity.

For instance. A REAL host will make a database backup for you any time you ask. Now if you’re hosting on the cheapest solution, there’s a couple of things: first, you have almost no support, so you have no backups; second, believe me when I tell you that making any folder on your site world-writeable is going to be a bad thing – BECAUSE YOU HAVE NO HOST SUPPORT….

Um. So I guess I’m preaching to the choir, ain’t?

“that someone me vkaryl? I’m ok with that. just goes to show ya some people just get off being mean-spirited I guess, but I digress. Like being an unpaid volunteer is an excuse for being a bitch? Ok then…”

Um. No. I was mostly meaning Matt. With whom I have already had some “words”. Several times.

How about you don’t take offense until someone really points something at you, hmm?

Can someone expound on why admin rights are “not very safe these days”?

vkaryl

fair enough…

Because people tend to give admin rights to totally unsuitable folks. And then they get upset because those totally unsuitable folks do stuff that trashes their blog….

Alternatively, they don’t use good passwords, and then some crack program allows entry which is also not a good thing, of course.

Does this mean these people who do this sort of silliness will be better protected by allowing write access to areas on their domains? No, certainly not.

What it means is that NO ONE should hand-hold people who want to use wp. The basic things everyone using wp should know:

1. NEVER give anyone admin access to your blog unless you are holding their firstborn hostage.

2. Use a “quality password” generator religiously.

3. NEVER leave any folder world-writeable.

4. Learn how to use the available options for managing your blog. YOU are responsible for its security. If necessary, YOUR HOST should be able to help you with this; it should never be an option for any script or program to allow 777 (world writeability) to be set on its folders or files; and in fact any program or script which does so should be considered suspect by your host provider.

People who need hand-holding like that should be shuffled off to squarespace or whoever.

So are saying is that if a user is the sole admin, and uses a solid password, that this vulnerability is not neccessarily at defcon 10?

And I’d like to leave the world writablity out of the equation, for another thread.

Well, if a user is the sole admin, and the password is solid (24+characters, using a decent password gen) and the machine used for normal access is not open/suspect, I would personally consider it “okay” – maybe not perfect, but at least not readibly accessible – assuming no 777 folders (fine, do another thread, but that’s still the “meat” of this one in a way….)

Um. What’s “defcon 10”?

“defcon” is Defense Condition.

Ryan Boren cooked up a fix for the directory traversal vulnerability. Download it here.

Will this work with the Cron jobs then?

Ah. Thanks, skippy…. I don’t pay any attention to stuff like that. I don’t do movies at all. And if they’re going to blow me away tomorrow, how is knowing about it today going to help? Guess that’s one nice thing about being “old”….

miklb: I don’t see why not. The modifications Ryan made only check to ensure that directory traversal isn’t happening (using “../” in the file name to move up the directory tree). The cron job backups shouldn’t be doing anything like that.

World writability really sounds scary, and I think it would be a good idea to give the user community some solid advice as to what is the necessary permissions.
Making a backup with Skippys plugin is convenient, and I think it should stay in.

I use it all the time, and I’ll continue doing so, lazy as I am. I don’t wp-cron it, just activate it for a few seconds to make the backup and then close it down.

I feel safe with that, and to reiterate:

Description:
WP-DB Backup is vulnerable to directory traversal attack.
You must have administrator rights in the wordpress blog to exploit this vulnerability.

We have many many plugins that require files to be 777 and we get much less complaints than the db-backup.

We have dozens of hosts who do not take the steps they could to better secure files for their customers and make it necessary for files to be 777.

And I have yet to see any such vulnerability exploited in the plugins directory. It’s a hit/miss there with probably a much higher miss rate.
Every ‘exploit’ I have seen here had been in a theme directory and they do NOT need to be world-writable but people leave them that way.

This thread isn’t about 777, nor about site management. It’s about Skippy being a decent guy and stating something was wrong.