MyEasyBackup plugin breaks WordPress security

WP breaked by plugin

WP breaked by plugin

MyEasyBackup WordPress plugin can make your life easier simplifying WordPress files and MySQL data backup operation. But be aware when installing its version 0.0.2 as this version simplifies the life to the intruders also. It is a new, just published plugin. WordPress.org Stats page shows 280 downloads already at the moment I write this post. This plugin can become popular. But plugin author Ugo Grandolini needs to make security fix to his code ASAP as plugin gives access to the critical blog data to any curious intruder. Do you wish to check it yourself? If you installed this plugin and build your first backup copy, make a simple experiment. Logout from your blog and input this URL into browser address field:

http://yourblogdomain/wp-content/plugins/myeasybackup/meb_download.php?dwnfile=myEASYbackup__2010-02-28_14-03-23.zip

Put the real date and time of your just made backup there. Do you get this file? Without any user name and password input? Congratulations!!! You breaked your blog security without any deep technical knowledge. Why? Check the .zip file content:
1st, – It has a very critical wp-config.php file, which contains your MySQL database hostname, database name, user name and password values.
2nd, – It includes all your blog code and database content. The hours or months of your work can be stolen by somebody in a minute.
If you feel that the real date and time of your backup file is a problem to guess it is a mistake. Backup file name structure is visible from the MyEasyBackup plugin source code or from its admin page. Very simple PHP script allows to make brute force attack by go over dates and times while do not get the needed file.
What should you do now if you have MyEasyBackup plugin installed. Deactivate it for the time being and wait the next version where plugin author Ugo Grandolini fix the vulnerabilities of his plugin. I will check its state from time to time and make a review when its new version appear.
Plugin author has to check inside of any PHP script his plugin includes that this code is executed under WordPress control only. Any direct call must be prohibited. Just take one more look at your code thinking about the security first, not the functionality only.

Tags: , , ,