- Joined
- Jun 14, 2004
- Posts
- 11,108
- Reaction score
- 988
BackupBuddy vulnerability
A vulnerability has been found in the popular BackupBuddy plugin and was made public 24 hours ago. As part of the restore process of BackupBuddy, the script is supposed to remove a file called 'importbuddy.php' which is usually in the root of your WordPress installation. This step occasionally fails as a result of filesystem permissions.
What to do: If you use BackupBuddy to restore your data from a backup, make sure that you manually check that importbuddy.php has been deleted from your WordPress root directory once you have completed the restore process.
If importbuddy.php does fail to get deleted, an attacker can use importbuddy.php to find out the names of your backup files and download them. These backup files contain your site's files and your database. importbuddy.php also includes an upload option which may be abused for site modification or defacement.
Note that importbuddy.php does have a password option but according to the researcher who reported this issue the password is not a mandatory requirement.
A vulnerability has been found in the popular BackupBuddy plugin and was made public 24 hours ago. As part of the restore process of BackupBuddy, the script is supposed to remove a file called 'importbuddy.php' which is usually in the root of your WordPress installation. This step occasionally fails as a result of filesystem permissions.
What to do: If you use BackupBuddy to restore your data from a backup, make sure that you manually check that importbuddy.php has been deleted from your WordPress root directory once you have completed the restore process.
If importbuddy.php does fail to get deleted, an attacker can use importbuddy.php to find out the names of your backup files and download them. These backup files contain your site's files and your database. importbuddy.php also includes an upload option which may be abused for site modification or defacement.
Note that importbuddy.php does have a password option but according to the researcher who reported this issue the password is not a mandatory requirement.
