[wp-trac] [WordPress Trac] #52299: Exported user data can be listed with directory listing

Thu Jan 14 14:57:15 UTC 2021

#52299: Exported user data can be listed with directory listing
-----------------------------+-----------------------------
 Reporter:  lucasbustamante  |      Owner:  (none)
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Privacy          |    Version:  5.6
 Severity:  normal           |   Keywords:
  Focuses:  privacy          |
-----------------------------+-----------------------------
 === Disclosure

 This was opened as a HackerOne report at first, but upon triage it was
 requested that this was opened as a public Core ticket.

 === Description
 WordPress 4.9.6 added the tool to "Export Personal Data", in compliance
 with GDPR: https://wordpress.org/support/article/tools-export-personal-
 data-screen/

 Once generated, this data is stored as a .zip file in `wp-content/uploads
 /wp-personal-data-exports`, or `wp-content/uploads/sites/{site_id}/wp-
 personal-data-exports` in multi-site installations.

 This directory is protected from directory listing with a `index.html`.
 However, it should be an `index.php` as used in `wp-
 content/plugins/index.php` and `wp-content/themes/index.php`. This is
 because `index.php` is the entrypoint to WordPress itself, so if a server
 has it's webserver's index pointing to something else than index.php,
 WordPress won't work at all.

 That's why the index points to index.php in these examples from WordPress
 and Nginx:

 https://wordpress.org/support/article/nginx/
 https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/

 In Apache, this is controlled by DirectoryIndex
 (https://httpd.apache.org/docs/2.4/mod/mod_dir.html)

 If you have directory listing enabled, and you don't have the optional
 directory index pointing at index.html, that directory can be listed, and
 the zip files with the exported user data can be downloaded directly from
 the browser.

 === Steps To Reproduce:
 1. Install WordPress using Nginx or Apache, enable directory listing and
 point the directory index at index.php
 2. Go to Tools -> Export Personal Data
 3. Enter a username, eg: admin and click "Send Request"
 4. Click "Download Personal Data"
 5. Now go to https://your-url/wp-content/uploads/wp-personal-data-exports/

 === Recommendations
 Replace `index.html` with `index.php` to prevent directory listing on `wp-
 admin/includes/privacy-tools.php:325` and `wp-admin/includes/privacy-
 tools.php:510`

 === Impact
 An attacker could have access to these information from users who exported
 their data for privacy reasons:

 User's name, username, e-mail, session-tokens with expiration date, links
 to the files he/she uploaded, IP address, etc.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52299>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform