Headline
CVE-2020-36669: Changeset 2341420 – WordPress Plugin Repository
The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.3.9. This is due to missing nonce validation on the backup_guard_get_import_backup() function. This makes it possible for unauthenticated attackers to upload arbitrary files to the vulnerable site’s server via a forged request, granted they can trick a site’s administrator into performing an action such as clicking on a link.
Timestamp:
07/16/2020 08:20:20 AM (3 years ago)
BackupGuard
Message:
Add Backup new version 1.4.0
Location:
backup/trunk
Files:
- BackupGuard.php (7 diffs)
- README.txt (2 diffs)
- backup.php (2 diffs)
- public/ajax/modalImport.php (1 diff)
- public/js/sgcloud.js (2 diffs)
Legend:
Unmodified
Added
Removed
backup/trunk/BackupGuard.php
r2337942
r2341420
282
282
echo 'SG\_AJAX\_REQUEST\_FREQUENCY = "'.$sgAjaxRequestFrequency.'";';
283
283
echo 'function getAjaxUrl(url) {'.
284
'if (url==="cloudDropbox" || url==="cloudGdrive" || url==="cloudOneDrive") return "'.admin\_url('admin-post.php?action=backup\_guard\_').'"+url;'.
284
'if (url==="cloudDropbox" || url==="cloudGdrive" || url==="cloudOneDrive") return "'.admin\_url('admin-post.php?action=backup\_guard\_').'"+url+"&token='.wp\_create\_nonce('backupGuardAjaxNonce').'";'.
285
285
'return "'.admin\_url('admin-ajax.php').'";}</script>';
286
286
…
…
338
338
{
339
339
check\_ajax\_referer('backupGuardAjaxNonce', 'token');
340
require\_once(SG\_PUBLIC\_AJAX\_PATH.'modalManualBackup.php');
340
if (is\_admin()) {
341
require\_once(SG\_PUBLIC\_AJAX\_PATH.'modalManualBackup.php');
342
}
341
343
exit();
342
344
}
…
…
511
513
function backup\_guard\_import\_key\_file()
512
514
{
515
check\_ajax\_referer('backupGuardAjaxNonce', 'token');
513
516
require\_once(SG\_PUBLIC\_AJAX\_PATH.'importKeyFile.php');
514
517
}
…
…
574
577
function backup\_guard\_cloud\_dropbox()
575
578
{
579
check\_ajax\_referer('backupGuardAjaxNonce', 'token');
576
580
require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudDropbox.php');
577
581
}
…
…
584
588
function backup\_guard\_cloud\_amazon()
585
589
{
590
check\_ajax\_referer('backupGuardAjaxNonce', 'token');
586
591
require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudAmazon.php');
587
592
}
…
…
589
594
function backup\_guard\_cloud\_gdrive()
590
595
{
596
check\_ajax\_referer('backupGuardAjaxNonce', 'token');
591
597
require\_once(SG\_PUBLIC\_AJAX\_PATH.'cloudGdrive.php');
592
598
}
…
…
622
628
function backup\_guard\_get\_import\_backup()
623
629
{
630
check\_ajax\_referer('backupGuardAjaxNonce', 'token');
624
631
require\_once(SG\_PUBLIC\_AJAX\_PATH.'importBackup.php');
625
632
}
backup/trunk/README.txt
r2337942
r2341420
7
7
Requires at least: 3.8
8
8
Tested up to: 5.4.2
9
Stable tag: 1.3.9
9
Stable tag: 1.4.0
10
10
License: GPLv2 or later
11
11
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
158
158
159
159
\== Changelog ==
160
\= 1.4.0 =
161
\* Plugin security improvements
162
160
163
\= 1.3.9 =
161
164
\* Admin side bug fixed
backup/trunk/backup.php
r2337954
r2341420
5
5
\* Plugin URI: https://backup-guard.com/products/backup-wordpress
6
6
\* Description: Backup Guard is the most complete site backup and restore plugin. We offer the easiest way to backup, restore or migrate your site. You can backup your files, database or both.
7
\* Version: 1.3.9
7
\* Version: 1.4.0
8
8
\* Author: BackupGuard
9
9
\* Author URI: https://backup-guard.com/products/backup-wordpress
…
…
17
17
18
18
if (!defined('SG\_BACKUP\_GUARD\_VERSION')) {
19
define('SG\_BACKUP\_GUARD\_VERSION', '1.3.9');
19
define('SG\_BACKUP\_GUARD\_VERSION', '1.4.0');
20
20
}
21
21
backup/trunk/public/ajax/modalImport.php
r2218186
r2341420
65
65
<span class="input-group-btn">
66
66
<span class="btn btn-primary btn-file backup-browse-btn">
67
<?php \_backupGuardT('Browse')?>… <input class="sg-backup-upload-input" type="file" name="files\[\]" data-url="<?php echo admin\_url('admin-ajax.php')."?action=backup\_guard\_importBackup" ?>" data-max-file-size="<?php echo backupGuardConvertToBytes($maxUploadSize.'B'); ?>">
67
<?php \_backupGuardT('Browse')?>… <input class="sg-backup-upload-input" type="file" name="files\[\]" data-url="<?php echo admin\_url('admin-ajax.php')."?action=backup\_guard\_importBackup&token=".wp\_create\_nonce('backupGuardAjaxNonce') ?>" data-max-file-size="<?php echo backupGuardConvertToBytes($maxUploadSize.'B'); ?>">
68
68
</span>
69
69
</span>
backup/trunk/public/js/sgcloud.js
r2198964
r2341420
48
48
var ajaxHandler = new sgRequestHandler(url, sguploadFile, {
49
49
contentType: false,
50
token: BG\_BACKUP\_STRINGS.nonce,
50
51
cache: false,
51
52
xhr: function() { // Custom XMLHttpRequest
…
…
118
119
}
119
120
else {
120
var ajaxHandler = new sgRequestHandler(url, {cancel: true});
121
var ajaxHandler = new sgRequestHandler(url, {cancel: true,token: BG\_BACKUP\_STRINGS.nonce });
121
122
ajaxHandler.callback = function(response){
122
123
jQuery('.sg-'+storage+'-user').remove();
Note: See TracChangeset for help on using the changeset viewer.