http://yourblogdomain/wp-content/plugins/myeasybackup/meb_download.php?dwnfile=myEASYbackup__2010-02-28_14-03-23.zip |
Put the real date and time of your just made backup there. Do you get this file? Without any user name and password input? Congratulations!!! You breaked your blog security without any deep technical knowledge. Why? Check the .zip file content:
1st, – It has a very critical wp-config.php
file, which contains your MySQL database hostname, database name, user name and password values.
2nd, – It includes all your blog code and database content. The hours or months of your work can be stolen by somebody in a minute.
If you feel that the real date and time of your backup file is a problem to guess it is a mistake. Backup file name structure is visible from the MyEasyBackup plugin source code or from its admin page. Very simple PHP script allows to make brute force attack by go over dates and times while do not get the needed file.
What should you do now if you have MyEasyBackup plugin installed. Deactivate it for the time being and wait the next version where plugin author Ugo Grandolini fix the vulnerabilities of his plugin. I will check its state from time to time and make a review when its new version appear.
Plugin author has to check inside of any PHP script his plugin includes that this code is executed under WordPress control only. Any direct call must be prohibited. Just take one more look at your code thinking about the security first, not the functionality only.
Tags: Security, WordPress, wordpress plugin, wordpress plugin review