Skip to content

Dumping Full DB with Backup.php

Moderate
marcelfolaron published GHSA-8r84-p6fx-4m8g Feb 6, 2024

Package

No package listed

Affected versions

<3.0.0

Patched versions

3.0.0

Description

Summary

When the backup.php file is run by an unauthorized user from outside, it takes a db backup and shares it with full directory.

Details

The script in backup.php contains a potential security vulnerability related to information disclosure. Upon successful completion of the database backup process, the script returns detailed information about the backup, including the database name and the full path of the backup file. This is evident in the following line of code:
return array('type' => 'success', 'msg' => 'The Database ' . $config->dbDatabase . ' is saved in the path ' . getcwd() . '/' . $backupPath);

PoC

run backup.php and You will see the backup file on the screen.
e.g:
www.site.com/backup.php
{"backup":"The Database dbt3fxfujn2jtf is save in the path /var/www/html/public/dbt3fxfujn2jtf_20231209-0435.sql","s3":null}

Impact

If this vulnerability is exploited, it could lead to unauthorized access to sensitive data and system files, increasing the risk of further attacks.

Notes

  • Backup names were entirely random and not guessable.
  • Simple fix is to remove the backup.php file in previous versions

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs

Credits