A vulnerability has been found in iThemes Security backup function that may allow attackers to gain access to backup/log files.

By default, when using the "database backup on filesystem" feature, iThemes Security saves the backup files in a world-readable directory :

wp-content/uploads/ithemes-security/backups

The .htaccess file is generated during the plugin initial setup/update, only if the wp-content/uploads/ithemes-security/backups exists (or wp-content/uploads/ithemes-security/logs). Note that it does NOT exists by default.

When running a backup, the ITSEC_Backup class creates the directory but without any .htaccess file inside. The same thing happens with log saving.

If the webserver has directory listing enabled, then anybody can download the complete database backup or view the log files.

Access Vector: remote

Security Risk: high

Vulnerability: CWE-219

CVSS Base Score: 7.5

Vulnerable code

The vulnerable code is located in core/modules/backup/class-itsec-backup.php, line 246 :

if ( ! is_dir( $itsec_globals['ithemes_backup_dir'] ) ) {
    @mkdir( trailingslashit( $itsec_globals['ithemes_dir'] ) . 'backups' );
}

And in core/class-itsec-logger.php, line 31 :

//Make sure the logs directory was created
if ( ! is_dir( $itsec_globals['ithemes_log_dir'] ) ) {
        @mkdir( trailingslashit( $itsec_globals['ithemes_dir'] ) . 'logs' );
}

The application creates the backup/log directory, but not the .htaccess/index file inside.

Solution

Add a default index file file inside the backup folder when creating the directory or store the backups outside of the web root.

Update iThemes Security to version >= 5.3.1

Timeline (dd/mm/yyyy)

  • 26/02/2016 : Initial contact with iThemes.
  • 26/02/2016 : iThemes confirms the vulnerabilities.
  • 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities.

Credits

  • Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)