[wp-trac] [WordPress Trac] #52299: Exported user data can be listed with directory listing
WordPress Trac
noreply at wordpress.org
Thu Jan 14 14:57:15 UTC 2021
#52299: Exported user data can be listed with directory listing
-----------------------------+-----------------------------
Reporter: lucasbustamante | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 5.6
Severity: normal | Keywords:
Focuses: privacy |
-----------------------------+-----------------------------
=== Disclosure
This was opened as a HackerOne report at first, but upon triage it was
requested that this was opened as a public Core ticket.
=== Description
WordPress 4.9.6 added the tool to "Export Personal Data", in compliance
with GDPR: https://wordpress.org/support/article/tools-export-personal-
data-screen/
Once generated, this data is stored as a .zip file in `wp-content/uploads
/wp-personal-data-exports`, or `wp-content/uploads/sites/{site_id}/wp-
personal-data-exports` in multi-site installations.
This directory is protected from directory listing with a `index.html`.
However, it should be an `index.php` as used in `wp-
content/plugins/index.php` and `wp-content/themes/index.php`. This is
because `index.php` is the entrypoint to WordPress itself, so if a server
has it's webserver's index pointing to something else than index.php,
WordPress won't work at all.
That's why the index points to index.php in these examples from WordPress
and Nginx:
https://wordpress.org/support/article/nginx/
https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/
In Apache, this is controlled by DirectoryIndex
(https://httpd.apache.org/docs/2.4/mod/mod_dir.html)
If you have directory listing enabled, and you don't have the optional
directory index pointing at index.html, that directory can be listed, and
the zip files with the exported user data can be downloaded directly from
the browser.
=== Steps To Reproduce:
1. Install WordPress using Nginx or Apache, enable directory listing and
point the directory index at index.php
2. Go to Tools -> Export Personal Data
3. Enter a username, eg: admin and click "Send Request"
4. Click "Download Personal Data"
5. Now go to https://your-url/wp-content/uploads/wp-personal-data-exports/
=== Recommendations
Replace `index.html` with `index.php` to prevent directory listing on `wp-
admin/includes/privacy-tools.php:325` and `wp-admin/includes/privacy-
tools.php:510`
=== Impact
An attacker could have access to these information from users who exported
their data for privacy reasons:
User's name, username, e-mail, session-tokens with expiration date, links
to the files he/she uploaded, IP address, etc.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52299>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list