CVE-2014-8603

Name of the Vulnerable Software and Affected Versions XCloner plugin version 3.1.1 for WordPress XCloner plugin version 3.5.1 for Joomla!

Description The issue allows remote administrators to execute arbitrary code via shell metacharacters in various parameters. This can be achieved through the file name when creating a backup or through vectors related to specific variables, including $ CONFIG[tarpath], $ CONFIG['tarcompress'], $ CONFIG['filename'], $ CONFIG['exfile tar'], $ CONFIG[sqldump], $ CONFIG['mysql host'], $ CONFIG['mysql pass'], $ CONFIG['mysql user'], $database name, or $sqlfile.

Recommendations For XCloner plugin version 3.1.1 for WordPress, update to a version that fixes the issue. For XCloner plugin version 3.5.1 for Joomla!, update to a version that fixes the issue. As a temporary workaround, consider restricting access to the cloner.functions.php file until a patch is available. Avoid using shell metacharacters in the file name when creating a backup and in the variables $ CONFIG[tarpath], $ CONFIG['tarcompress'], $ CONFIG['filename'], $ CONFIG['exfile tar'], $ CONFIG[sqldump], $ CONFIG['mysql host'], $ CONFIG['mysql pass'], $ CONFIG['mysql user'], $database name, or $sqlfile until the issue is resolved.