On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress.

This plugin is useful when users want to migrate and copy WordPress sites. With Duplicator, sysadmins can create a new copy of the site and the generated file can be downloaded from the WP dashboard.

WordPress Duplicator Plugin Zero-day Vulnerability

Exploiting the newly discovered zero-day vulnerability allows hackers to download arbitrary files from the target sites. More than 1 million WordPress websites are affected by this security flaw.

When users create a copy of a WP site and click on the download button, it’ll trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter.

„Unfortunately the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible. An attacker could access files outside of Duplicator’s intended directory by submitting values like ../../../file.php to navigate throughout the server’s file structure.” - WordFence

function
duplicator_init() {
if
(isset($_GET['action']) && $_GET['action'] == 'duplicator_download') {
$file
= sanitize_text_field($_GET['file']);
$filepath
= DUPLICATOR_SSDIR_PATH.'/'.$file;
// Process download
if(file_exists($filepath)) {
// Clean output buffer
if
(ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
@ob_clean();
}
 
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: '
. filesize($filepath));
flush(); // Flush system output buffer
 
try
{
$fp
= @fopen($filepath, 'r');
if
(false === $fp) {
throw
new
Exception('Fail to open the file '.$filepath);
}
while
(!feof($fp) && ($data
= fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
echo
$data;
}
@fclose($fp);
} catch
(Exception $e) {
readfile($filepath);
}
exit;
} else
{
wp_die('Invalid installer file name!!');
}
}
}
add_action('init', 'duplicator_init');

Source: WordFence

What are the signs of exploiting this vulnerability?

If you see the following query strings in a GET request, most probably you became a target for hackers:

• action=duplicator_download
• file=/../wp-config.php

BitNinja patches the Duplicator Vulnerability

Hackers can easily exploit this critical vulnerability, so if you are using Duplicator on your WordPress site, you should take action right now!

Of course, updating the plugin is crucial, but BitNinja also provides protection server-wide. If BitNinja WAF is already running on your servers with the default settings, you are safe!

The Recommended ruleset contains the necessary WAF rule to patch the Duplicator vulnerability. However, if you want to ensure that hackers won’t be able to exploit this vulnerability, follow these steps:

1. Make sure that BitNinja WAF is active on your servers

2. Set the Recommended ruleset

The default pre-defined ruleset is the „Recommended”. You can read more about the WAF module and the rulesets in this article.

3. Check the status of the rule 930120 OS File Access

Rule is activated in the Recommended ruleset by default, so you don't have to make any more steps. Still, you can make sure you are 100% safe by checking rule 930120 OS File Access. 

The 930120 WAF rule will block those malicious requests, which calls the wp-config.php in GET requests.

Patch Duplicator vulnerability with BitNinja WAF

Do you need assistance with securing your servers? Contact us at info@bitninja.io and we’ll gladly help you eliminate hackers and bots.

Stay safe!