Changeset 496048

Timestamp:

01/27/2012 09:26:34 AM (14 years ago)

Author:

camaleo

Message:

1.0.11 Improves the fix applied with version 1.0.9 and fixes the possibility for malicious user to discover the directory structure of the target site as kindly reported by Pavel Komisarchuk of 6scan.com

Location:

myeasybackup/trunk

Files:

• ajax_ro.php (modified) (9 diffs)
• inc/myEASYcom.php (modified) (1 diff)
• meb-config.php (modified) (1 diff)
• meb_download.php (modified) (1 diff)
• meb_settings.php (modified) (3 diffs)
• myeasybackup.php (modified) (2 diffs)
• readme.txt (modified) (2 diffs)

myeasybackup/trunk/ajax_ro.php

@@ -6 +6 @@
  * @author Ugo Grandolini
  * @since 0.1.3
- * @version 1.0.5.7
+ * @version 1.0.11
  */
 
@@ -38 +38 @@
 //$referer = $path[0];
 //echo '$referer['.$referer.']';
+//var_dump($_SERVER);
+
 /*
  * var_dump($_SERVER);
@@ -56 +58 @@
     && isset($_SERVER['HTTP_REFERER'])) { /* this entire condition @since 1.0.5.9 */
 
-    if(stripos($_SERVER['HTTP_HOST'], $_SERVER['SERVER_NAME'])!==false
-        && stripos($_SERVER['HTTP_HOST'], $_SERVER['HTTP_REFERER'])!==false) {
+    if(stripos($_SERVER['HTTP_HOST'], $_SERVER['SERVER_NAME']) !== false
+        && stripos($_SERVER['HTTP_HOST'], $_SERVER['HTTP_REFERER']) !== false) {
 #-------------
 #   1.0.0: END
 #
-        echo $_POST['tag']
+        echo strip_tags($_POST['tag'])
             .$splitter_tag
             .'<div class="warning">'
@@ -128 +130 @@
 }
 
+
+
+
+if(!function_exists('wp_create_nonce')) {
+
+    require_once( ABSPATH . 'wp-includes/pluggable.php');
+}
+
+$meb_backup_ajax_validator = $parms[(count($parms) - 1)];
+$meb_backup_ajax_validator_key = dirname(__FILE__);
+
+if(! wp_verify_nonce($meb_backup_ajax_validator, $meb_backup_ajax_validator_key)) {
+
+    /**
+     * @since 1.0.11
+     */
+    echo strip_tags($_POST['tag']) . $splitter_tag
+        . '<div class="warning">'
+            . __( 'There is an issue with the caller...', MEBAK_LOCALE )
+//          . '<br>' . $meb_backup_ajax_validator . ' | ' . $meb_backup_ajax_validator_key . ' = ' . wp_verify_nonce($meb_backup_ajax_validator, $meb_backup_ajax_validator_key) // debug
+        . '</div>';
+
+    exit();
+}
+
 #
 #   $parms
@@ -260 +287 @@
                 .'<div style="float:left;">'
                     .'<p style="margin:0;cursor:pointer;" onclick="javascript:'
-                                    .'sndReq(\'get_site_dirs_list\',\'dirs_list_container\',\''.$up_folder.'\');'
+                                    .'sndReq(\'get_site_dirs_list\',\'dirs_list_container\',\''.$up_folder . AJAX_PARMS_SPLITTER . $meb_backup_ajax_validator .'\');'
                                     .'">'
 //. '{{{ back to: '.$up_folder.' }}}'
@@ -296 +323 @@
 
                     echo '<p class="item_folder" style="margin:0;cursor:pointer;" onclick="javascript:'
-                                        .'sndReq(\'get_site_dirs_list\',\'dirs_list_container\',\''.$parms[0].'/'.$fname.'\');'
+                                        .'sndReq(\'get_site_dirs_list\',\'dirs_list_container\',\''.$parms[0].'/'.$fname . AJAX_PARMS_SPLITTER . $meb_backup_ajax_validator .'\');'
                                         .'">' . $tmp . $fname . '</p>';
                     $t++;
@@ -321 +348 @@
                 . '</p>'
 
-                .'<input id="new_folder" name="newfolder" type="text" value="'.$_POST['newfolder'].'" size="40" maxlength="128" />'
+                .'<input id="new_folder" name="newfolder" type="text" value="' . strip_tags($_POST['newfolder']) . '" size="40" maxlength="128" />' // 1.0.11
 
                 .'<div style="text-align:right;margin-top:8px;">'
@@ -329 +356 @@
                                         .'if(document.getElementById(\'new_folder\').value!=\'\'){'
 //.'alert(document.getElementById(\'new_folder\').value);'  #debug
-                                            .'sndReq(\'create_dir_exec\',\'dirs_list_container_msgs\',\''.$parms[0].AJAX_PARMS_SPLITTER.'\'+document.getElementById(\'new_folder\').value);'
+                                            .'sndReq(\'create_dir_exec\',\'dirs_list_container_msgs\',\''.$parms[0].AJAX_PARMS_SPLITTER.'\'+document.getElementById(\'new_folder\').value+\''. AJAX_PARMS_SPLITTER . $meb_backup_ajax_validator .'\');'
                                         .'}else{'
                                             .'alert(\''.__( 'Please enter the name of the folder you want to create!', MEBAK_LOCALE ) . '\');'
@@ -370 +397 @@
                     echo '<span style="color:green;">' . __( 'Done!', MEBAK_LOCALE ) . '</span>';
 
-                    $js = 'sndReq(\'get_site_dirs_list\',\'dirs_list_container\',\''.$parms[0].'/'.$parms[1].'\');';
+                    $js = 'sndReq(\'get_site_dirs_list\',\'dirs_list_container\',\''.$parms[0].'/'.$parms[1] . AJAX_PARMS_SPLITTER . $meb_backup_ajax_validator .'\');';
                 }
                 else

myeasybackup/trunk/inc/myEASYcom.php

@@ -3 +3 @@
  * myEASYcom.php: common functions for the myEASYwp plugins serie
  *
+ * Version: 1.4 - 26 January 2012
  * Version: 1.3 - 23 July 2011
  * Author: Ugo Grandolini aka "Camaleo"

myeasybackup/trunk/meb-config.php

@@ -6 +6 @@
  * @author Ugo Grandolini
  */
-define('MYEASYBACKUP_VERSION', '1.0.6');
+define('MYEASYBACKUP_VERSION', '1.0.10');
 define('MEBAK_LOCALE', 'myEASYbackup');     #   the locale for translations - 1.0.5.1
 

myeasybackup/trunk/meb_download.php

@@ -45 +45 @@
 $file = MEBAK_BACKUP_PATH . '/' . $file_name;
 
-if(file_exists($file))
+//if(file_exists($file))                    // 1.0.9
+if(file_exists($file) && (!is_dir($file)))  // 1.0.11
 {
     $bytes = filesize($file);

myeasybackup/trunk/meb_settings.php

@@ -1346 +1346 @@
                                     .'\'+document.getElementById(\'meb_ftp_timeout\').value+\''.AJAX_PARMS_SPLITTER
                                     .'\'+pasv+\''.AJAX_PARMS_SPLITTER
+                                    . MEB_BACKUP_AJAX_VALIDATOR
                         .'\');'
                         .'return false;'
@@ -1425 +1426 @@
 
         ?><div id="dirs_list_container" style="background-color:#F1F1F1;width:100%;border:1px solid #DFDFDF;margin:0 0 8px 0;padding:8px;-moz-border-radius:6px;border-radius:6px;"></div>
-        <script type="text/javascript">sndReq('get_site_dirs_list','dirs_list_container','<?php echo $_POST['meb_backup_root']; ?>');</script>
+        <script type="text/javascript">sndReq('get_site_dirs_list','dirs_list_container','<?php echo $_POST['meb_backup_root'] . AJAX_PARMS_SPLITTER . MEB_BACKUP_AJAX_VALIDATOR; /* 1.0.10 */ ?>');</script>
     </div>
     <div style="clear:both;"></div>
@@ -1487 +1488 @@
                                         .'pwd+\''.AJAX_PARMS_SPLITTER
                                         .'\'+document.getElementById(\'meb_ally_pubkey\').value+\''.AJAX_PARMS_SPLITTER
+                                        . MEB_BACKUP_AJAX_VALIDATOR
                             .'\');'
                             .'return false;'

myeasybackup/trunk/myeasybackup.php

@@ -4 +4 @@
 Plugin URI: http://myeasywp.com/plugins/myeasybackup/
 Description: Backup your WordPress site (code and database) with a click.
-Version: 1.0.9
+Version: 1.0.11
 Author: Ugo Grandolini aka "camaleo"
 Author URI: http://grandolini.com
 */
 /*
-    Copyright (C) 2010 Ugo Grandolini  (email : [email protected])
+    Copyright (C) 2010,2012 Ugo Grandolini  (email : [email protected])
 
     This program is free software: you can redistribute it and/or modify
@@ -83 +83 @@
 define('MYEASY_CDN_CSS', MYEASY_CDN . 'css/');
 define('MYEASY_CDN_JS', MYEASY_CDN . 'js/');
-
 /* 1.0.8: END */
 
+
+/* 1.0.11: BEG */
+if(!defined('AJAX_CALLER') || AJAX_CALLER == false) {
+
+    if(!function_exists('wp_create_nonce')) {
+
+        require_once( ABSPATH . 'wp-includes/pluggable.php');
+    }
+    $meb_backup_ajax_validator_key = dirname(__FILE__);
+    $meb_backup_ajax_validator = wp_create_nonce($meb_backup_ajax_validator_key);
+
+    define('MEB_BACKUP_AJAX_VALIDATOR_KEY', $meb_backup_ajax_validator_key);
+    define('MEB_BACKUP_AJAX_VALIDATOR', $meb_backup_ajax_validator);
+}
+/* 1.0.11: END */
 
 

myeasybackup/trunk/readme.txt

@@ -4 +4 @@
 Tags: myeasy, backup, migrate, admin, administration, ajax, comments, google, facebook, image, images, links, jquery, plugin, plugins, post, posts, rss, seo, sidebar, social, twitter, video, widget, wordpress, youtube
 Requires at least: 2.5
-Tested up to: 3.3
-Stable tag: trunk
+Tested up to: 3.3.*
+Stable tag: 1.0.11
 
 Backup, restore, migrate your WP installation, both code and MySQL tables, with a single click. <a href="http://is.gd/hUwBx" target="_blank">Screen shots</a>
@@ -70 +70 @@
 == Changelog ==
 
+= 1.0.11 (27 January 2012) =
+Improves the fix applied with version 1.0.9 and fixes the possibility for malicious user to discover the directory structure of the target site as kindly reported by Pavel Komisarchuk of <a href="http://6scan.com/" target="_blank">6scan.com</a>.
+
 = 1.0.9 (17 January 2012) =
-Fixes the exploit described at <a href="http://packetstormsecurity.org/files/108711/">Packet Storm</a>.
+Fixes the exploit described at <a href="http://packetstormsecurity.org/files/108711/" target="_blank">Packet Storm</a>.
 
 = 1.0.8.1 (24 July 2011) =