{"id":213,"date":"2026-02-11T16:38:45","date_gmt":"2026-02-11T15:38:45","guid":{"rendered":"https:\/\/helloblog.io\/lv\/kritiska-wpvivid-backup-ievainojamiba-arbitrary-file-upload\/"},"modified":"2026-02-11T16:38:45","modified_gmt":"2026-02-11T15:38:45","slug":"kritiska-wpvivid-backup-ievainojamiba-arbitrary-file-upload","status":"publish","type":"post","link":"https:\/\/helloblog.io\/lv\/kritiska-wpvivid-backup-ievainojamiba-arbitrary-file-upload\/","title":{"rendered":"Kritiska WPvivid Backup ievainojam\u012bba: l\u012bdz 800 000 WordPress instal\u0101ciju risk\u0101, ja aktiviz\u0113ta \u201csend backup to this site\u201d atsl\u0113ga"},"content":{"rendered":"\n

WordPress dro\u0161\u012bbas zi\u0146\u0101s ir \u013coti konkr\u0113ts gad\u012bjums, kur \u201cit k\u0101 ni\u0161as funkcija\u201d p\u0113k\u0161\u0146i k\u013c\u016bst par kritisku risku lielam instal\u0101ciju skaitam. Wordfence komanda zi\u0146oja par neautentific\u0113tu Arbitrary File Upload<\/strong> ievainojam\u012bbu WPvivid Backup & Migration spraudn\u012b (WordPress.org slugs: wpvivid-backuprestore<\/code>), kuram ir vair\u0101k nek\u0101 800 000<\/strong> akt\u012bvu instal\u0101ciju.<\/p>\n\n\n\n

Slikt\u0101 zi\u0146a: ievainojam\u012bba \u013cauj uzbruc\u0113jam aug\u0161upiel\u0101d\u0113t patva\u013c\u012bgus failus<\/strong> un praktiski non\u0101kt l\u012bdz Remote Code Execution (RCE)<\/strong> \u2013 t.i., palaist \u013caunpr\u0101t\u012bgu kodu uz servera, kas bie\u017ei beidzas ar pilnu vietnes p\u0101r\u0146em\u0161anu (webshell, backdoor u.c.). Lab\u0101 zi\u0146a: p\u0113c Wordfence inform\u0101cijas, kritiskais risks attiecas tikai<\/strong> uz t\u0101m vietn\u0113m, kur spraud\u0146a iestat\u012bjumos ir \u0123ener\u0113ta atsl\u0113ga<\/strong>, lai \u013cautu citai vietnei nos\u016bt\u012bt rezerves kopiju uz j\u016bsu vietni (\u0161\u012b iesp\u0113ja ir izsl\u0113gta p\u0113c noklus\u0113juma<\/strong>, un atsl\u0113gas der\u012bguma termi\u0146u var uzst\u0101d\u012bt maksimums uz 24 stund\u0101m<\/strong>).<\/p>\n\n\n\n

Kas tie\u0161i ir atkl\u0101ts (kopsavilkums)<\/h2>\n\n\n\n
    \n\n
  • Ievainojam\u012bba: Unauthenticated Arbitrary File Upload<\/strong> (neautentific\u0113ts patva\u013c\u012bgu failu aug\u0161upiel\u0101des caurums).<\/li>\n\n\n
  • Ietekm\u0113tais spraudnis: Migration, Backup, Staging – WPvivid Backup & Migration<\/strong> (wpvivid-backuprestore<\/code>).<\/li>\n\n\n
  • Ietekm\u0113t\u0101s versijas: \u2264 0.9.123<\/strong>.<\/li>\n\n\n
  • Salabot\u0101 versija: 0.9.124<\/strong>.<\/li>\n\n\n
  • CVE: CVE-2026-1357<\/strong>.<\/li>\n\n\n
  • Smagums: CVSS 9.8 (Critical)<\/strong>.<\/li>\n\n\n
  • Ekspluat\u0101cijas rezult\u0101ts: iesp\u0113jams aug\u0161upiel\u0101d\u0113t \u013caunpr\u0101t\u012bgu PHP failu publiski pieejam\u0101 direktorij\u0101 un pan\u0101kt RCE<\/strong>.<\/li>\n\n\n
  • Kritisk\u0101 ietekme praks\u0113: galvenok\u0101rt vietn\u0113m, kur iestat\u012bjumos ir izveidota atsl\u0113ga \u201csa\u0146emt backup no citas vietnes\u201d (funkcija p\u0113c noklus\u0113juma atsl\u0113gta, atsl\u0113ga der max 24h).<\/li>\n\n<\/ul>\n\n\n\n

    Aizsardz\u012bba un termi\u0146i: Wordfence ugunsm\u016bra noteikumi<\/h2>\n\n\n\n

    Wordfence nor\u0101da, ka aizsardz\u012bba ar ugunsm\u016bra (WAF) noteikumu tika izplat\u012bta \u0161\u0101dos termi\u0146os:<\/p>\n\n\n\n

      \n\n
    • Wordfence Premium<\/strong>, Wordfence Care<\/strong> un Wordfence Response<\/strong> lietot\u0101ji ugunsm\u016bra noteikumu sa\u0146\u0113ma 2026. gada 22. janv\u0101r\u012b<\/strong>.<\/li>\n\n\n
    • Wordfence Free<\/strong> lietot\u0101ji to pa\u0161u aizsardz\u012bbu sa\u0146ems 30 dienas v\u0113l\u0101k – 2026. gada 21. febru\u0101r\u012b<\/strong>.<\/li>\n\n<\/ul>\n\n\n\n
      \n\n

      Svar\u012bgi<\/h4>\n\n\n

      Pat ja tev ir Wordfence, prim\u0101rais labojums ir atjaunin\u0101t WPvivid<\/strong> uz salaboto versiju. Ugunsm\u016bris ir papildu aizsardz\u012bbas sl\u0101nis, nevis iemesls atlikt atjaunin\u0101jumu.<\/p>\n\n<\/div>\n\n\n\n

      Ko dar\u012bt t\u016bl\u012bt (\u012bpa\u0161i, ja izmanto \u201cSend backup to this site\u201d funkciju)<\/h2>\n\n\n\n
        \n\n
      1. P\u0101rbaudi WPvivid Backup & Migration versiju: ja t\u0101 ir 0.9.123 vai vec\u0101ka<\/strong>, pl\u0101no steidzamu atjaunin\u0101jumu.<\/li>\n\n\n
      2. Atjaunini spraudni uz 0.9.124<\/strong> (Wordfence publik\u0101cijas br\u012bd\u012b t\u0101 ir versija ar pilnu iel\u0101pu).<\/li>\n\n\n
      3. WPvivid iestat\u012bjumos p\u0101rbaudi, vai ir \u0123ener\u0113ta atsl\u0113ga, kas \u013cauj citai vietnei s\u016bt\u012bt backup uz tavu vietni. Ja funkcija nav nepiecie\u0161ama, atst\u0101j to izsl\u0113gtu p\u0113c noklus\u0113juma pieej\u0101 un neveido atsl\u0113gas bez vajadz\u012bbas.<\/li>\n\n\n
      4. Ja atsl\u0113gu izmanto, \u0146em v\u0113r\u0101, ka atsl\u0113gas der\u012bguma termi\u0146u var uzst\u0101d\u012bt maksimums uz 24 stund\u0101m<\/strong> – tas jau p\u0113c dizaina ierobe\u017eo ekspoz\u012bcijas laiku, bet ievainojam\u012bbas gad\u012bjum\u0101 kritiska ir tie\u0161i akt\u012bvas atsl\u0113gas kl\u0101tb\u016btne.<\/li>\n\n\n
      5. Ja ir aizdomas par kompromit\u0101ciju (nezin\u0101mi PHP faili uploads direktorij\u0101s, d\u012bvaini cron, jauni admin lietot\u0101ji), veic incidenta izmekl\u0113\u0161anu un t\u012br\u012b\u0161anu, jo \u0161\u0101da klase ievainojam\u012bbu bie\u017ei tiek izmantota webshell ievieto\u0161anai.<\/li>\n\n<\/ol>\n\n\n\n

        Tehnisk\u0101 anal\u012bze: k\u0101p\u0113c \u0161is caurums str\u0101d\u0101<\/h2>\n\n\n\n

        WPvivid ir funkcija, kas \u013cauj sa\u0146emt rezerves kopiju no citas vietnes<\/strong>. Lai to izdar\u012btu, spraudnis izmanto \u012bstermi\u0146a \u0123ener\u0113tu atsl\u0113gu. Wordfence anal\u012bz\u0113 min\u0113ts, ka rezerves kopiju sa\u0146em\u0161anu apstr\u0101d\u0101 send_to_site()<\/code> funkcija klas\u0113 WPvivid_Send_to_site<\/code> (ieejas punkts ar parametru wpvivid_action=send_to_site<\/code>).<\/p>\n\n\n\n

        Pl\u016bsma ir aptuveni \u0161\u0101da: no $_POST['wpvivid_content']<\/code> tiek sa\u0146emts base64 kod\u0113ts saturs, tas tiek atkod\u0113ts un nodots at\u0161ifr\u0113\u0161anai (decrypt_message()<\/code>), izmantojot spraud\u0146a iestat\u012bjumos saglab\u0101to atsl\u0113gu materi\u0101lu. Probl\u0113ma rodas kriptogr\u0101fijas posm\u0101 un p\u0113c tam faila pierakst\u012b\u0161an\u0101 uz diska.<\/p>\n\n\n\n

        1) Nepareiza k\u013c\u016bdu apstr\u0101de RSA at\u0161ifr\u0113\u0161an\u0101 \u2192 paredzama AES\/Rijndael atsl\u0113ga<\/h3>\n\n\n\n

        Ievainojam\u012bbas aprakst\u0101 ir divas kombin\u0113tas probl\u0113mas. Pirm\u0101: ja sesijas atsl\u0113gas RSA at\u0161ifr\u0113\u0161ana neizdodas (Wordfence piemin openssl_private_decrypt()<\/code> neveiksmi un to, ka izpilde netiek aptur\u0113ta), rezult\u0101ts var b\u016bt false<\/code>. \u0160is false<\/code> non\u0101k t\u0101l\u0101k l\u012bdz AES\/Rijndael \u0161ifra inicializ\u0101cijai (phpseclib), un bibliot\u0113ka false<\/code> v\u0113rt\u012bbu interpret\u0113 k\u0101 virkni no null-baitiem (null bytes).<\/p>\n\n\n\n

        No uzbruc\u0113ja skatpunkta tas ir kritiski: ja \u0161ifr\u0113\u0161anas atsl\u0113ga k\u013c\u016bst paredzama<\/strong> (praktiski \u201cnull-baitu atsl\u0113ga\u201d), uzbruc\u0113js var sagatavot \u0161ifr\u0113tu payload, kas tiks korekti \u201cat\u0161ifr\u0113ts\u201d ar \u0161o paredzamo atsl\u0113gu. Rezult\u0101t\u0101 iesp\u0113jams kontrol\u0113t t\u0101l\u0101k apstr\u0101d\u0101jamo saturu, neesot autentific\u0113tam.<\/p>\n\n\n\n

        2) Faila ce\u013ca sanitiz\u0101cijas tr\u016bkums + failu tipu\/ekstenziju kontroles tr\u016bkums<\/h3>\n\n\n\n

        Otr\u0101 probl\u0113ma: spraudnis pie\u0146em faila nosaukumu no at\u0161ifr\u0113t\u0101 payload bez pietiekamas sanitiz\u0101cijas, kas \u013cauj directory traversal<\/strong> (izk\u013c\u016bt \u0101rpus aizsarg\u0101t\u0101 backup direktorija). Kombin\u0101cij\u0101 ar to, ka aug\u0161upiel\u0101des funkcij\u0101 s\u0101kotn\u0113ji nebija faila tipa vai ekstenzijas ierobe\u017eojumu, uzbruc\u0113js var m\u0113\u0123in\u0101t aug\u0161upiel\u0101d\u0113t, piem\u0113ram, PHP<\/strong> failu k\u0101d\u0101 publiski sasniedzam\u0101 direktorij\u0101 un p\u0113c tam to izsaukt caur p\u0101rl\u016bku, lai pan\u0101ktu Remote Code Execution<\/strong>.<\/p>\n\n\n\n

        \n\n

        K\u0101p\u0113c Arbitrary File Upload gandr\u012bz vienm\u0113r ir \u201cgame over\u201d<\/h4>\n\n\n

        Ja uzbruc\u0113js var aug\u0161upiel\u0101d\u0113t PHP failu webroot zon\u0101 un to izsaukt, t\u0101l\u0101k parasti seko webshell, jaunu admin kontu izveide, spraud\u0146u\/t\u0113mu aizvieto\u0161ana, datu eksfiltr\u0101cija un persistences meh\u0101nismi.<\/p>\n\n<\/div>\n\n\n\n

        Iel\u0101ps 0.9.124: kas tika main\u012bts<\/h2>\n\n\n\n

        Wordfence apraksta divus b\u016btiskus labojumus, ko ieviesa WPvivid izstr\u0101d\u0101t\u0101ji.<\/p>\n\n\n\n

        1) decrypt_message()<\/code> p\u0101rtrauc darbu, ja RSA atsl\u0113ga ir neder\u012bga<\/h3>\n\n\n\n

        Iel\u0101p\u0101 pievienota p\u0101rbaude uz $key<\/code> v\u0113rt\u012bbu: ja p\u0113c RSA at\u0161ifr\u0113\u0161anas atsl\u0113ga ir false<\/code> vai tuk\u0161a, funkcija atgrie\u017e false<\/code> un t\u0101l\u0101k netiek inicializ\u0113ts Rijndael \u0161ifrs ar \u201cnull-baitu\u201d atsl\u0113gu.<\/p>\n\n\n\n

        <\/circle><\/circle><\/circle><\/g><\/svg><\/span>