# Exploit Title: WordPress Backup plugin exposes site data# Google Dork: http://www.google.com/search?q=inurl:wp-content/backup.log*# Date: 01-jul-2012# Exploit Author: Stephan Knauss# Vendor Homepage: http://wordpress.org/extend/plugins/backup/# Software Link: http://downloads.wordpress.org/plugin/backup.2.0.1.zip# Version: 2.0.1
About Plugin:=============
Backup is a plugin that provides backup capabilities for WordPress. Backups are zip archives created locally and uploaded to a folder of your choosing on Google Drive.
Weakness:=========
The default configuration exposes a logfile with filenames of the actual backups. The backup files are available for download once the name is extracted from this logfile.
Depending on the settings this gives access to a copy of the WordPress database, wp-content, uploads, plugins or complete site.
Fix:====
Local folder path setting should be set to a value that can not be guessed by default. Until a fix is available it is up to the user of the plugin to configure it accordingly.
Detection and Google Dork:==========================
Blog is vulnerable if http://www.example.com/wp-content/backup/backup.log exists.
Usually the logfile isnot indexed. Still possibe to matchin rare occasions:
http://www.google.com/search?q=inurl:wp-content/backup.log*or trace back vulnerable blogs from logfiles being posted
http://www.google.com/search?q="Attempting+to+create+archive"+"wp-content/backup/"
Relevance:==========
Plugin is downloaded 15.000 times,with a download rate of currently 400 downloads a day.
