Summary
When the backup.php file is run by an unauthorized user from outside, it takes a db backup and shares it with full directory.
Details
The script in backup.php contains a potential security vulnerability related to information disclosure. Upon successful completion of the database backup process, the script returns detailed information about the backup, including the database name and the full path of the backup file. This is evident in the following line of code:
return array('type' => 'success', 'msg' => 'The Database ' . $config->dbDatabase . ' is saved in the path ' . getcwd() . '/' . $backupPath);
PoC
run backup.php and You will see the backup file on the screen.
e.g:
www.site.com/backup.php
{"backup":"The Database dbt3fxfujn2jtf is save in the path /var/www/html/public/dbt3fxfujn2jtf_20231209-0435.sql","s3":null}
Impact
If this vulnerability is exploited, it could lead to unauthorized access to sensitive data and system files, increasing the risk of further attacks.
Notes
- Backup names were entirely random and not guessable.
- Simple fix is to remove the backup.php file in previous versions
Summary
When the backup.php file is run by an unauthorized user from outside, it takes a db backup and shares it with full directory.
Details
The script in backup.php contains a potential security vulnerability related to information disclosure. Upon successful completion of the database backup process, the script returns detailed information about the backup, including the database name and the full path of the backup file. This is evident in the following line of code:
return array('type' => 'success', 'msg' => 'The Database ' . $config->dbDatabase . ' is saved in the path ' . getcwd() . '/' . $backupPath);
PoC
run backup.php and You will see the backup file on the screen.
e.g:
www.site.com/backup.php
{"backup":"The Database dbt3fxfujn2jtf is save in the path /var/www/html/public/dbt3fxfujn2jtf_20231209-0435.sql","s3":null}
Impact
If this vulnerability is exploited, it could lead to unauthorized access to sensitive data and system files, increasing the risk of further attacks.
Notes