Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313595 (2018-06-07 22:46:46)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::gzopen
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:177 (show/hide source)
157                    $update_email_setting_data = array();
158                    $update_email_setting_data["backup_to_email"] = sanitize_text_field($email_settings_form_data["ux_ddl_email_settings_enable_disable"]);
159                    $update_email_setting_data["email_address"] = sanitize_text_field($email_settings_form_data["ux_txt_email_address"]);
160                    $update_email_setting_data["cc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_cc"]);
161                    $update_email_setting_data["bcc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_bcc"]);
162                    $update_email_setting_data["email_subject"] = sanitize_text_field($email_settings_form_data["ux_txt_email_subject"]);
163                    $update_email_setting_data["email_message"] = htmlspecialchars_decode($email_settings_form_data["ux_txt_email_settings_message"]);
164  
165                    $email_setting_data = array();
166                    $where = array();
167                    $where["meta_id"] = isset($bb_email_settings_id) ? intval($bb_email_settings_id) : 0;
168                    $where["meta_key"] = "email_settings";
169                    $email_setting_data["meta_value"] = serialize($update_email_setting_data);
170                    $obj_dbHelper_backup_bank->updateCommand(backup_bank_meta(), $email_setting_data, $where);
171                 }
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177 $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178 179 $bb_backup_data = $wpdb->get_row
Threat level 1

Callstack:

backup_bank_restore::backup_bank_restore_backup_db /wp-backup-bank/lib/helper.php:2011 (show/hide source)
1991              $this->total_database_tables = count(explode(",", $this->database_tables));
1992              $working_dir = $file_path;
1993              $working_dir_localpath = $file_path;
1994              $import_table_prefix = $wpdb->prefix;
1995  
1996              if (@ini_get("safe_mode") && "off" != strtolower(@ini_get("safe_mode"))) {
1997                 $this->backup_bank_log(" Warning: PHP safe_mode is active on your server. Timeouts are much more likely. If these happen, then you will need to manually restore the file via phpMyAdmin or another method.\r\n");
1998              }
1999  
2000              $is_plain = (substr($working_dir_localpath, -3, 3) == "sql");
2001              $is_zip = (substr($working_dir_localpath, -7, 7) == "sql.zip");
2002  
2003              if ($is_plain) {
2004                 $dbhandle = fopen($working_dir_localpath, "r");
2005              } elseif ($is_zip) {
2006                 $zip = new Backup_bank_PclZip();
2007                 $zip->extract($working_dir_localpath, dirname($working_dir_localpath));
2008                 $working_dir_localpath = str_replace(".sql.zip", ".sql", $working_dir_localpath);
2009                 $dbhandle = fopen($working_dir_localpath, "r");
2010              } else {
2011 $dbhandle = gzopen($working_dir_localpath, "r");
2012 } 2013 if (!$dbhandle) {
@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:192 (show/hide source)
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177                    $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178  
179                    $bb_backup_data = $wpdb->get_row
180                        (
181                        $wpdb->prepare
182                            (
183                            "SELECT meta_key,meta_value FROM " . backup_bank_meta() .
184                            " WHERE meta_id = %d", $backup_id
185                        )
186                    );
187                    $bb_backup_data_array = maybe_unserialize($bb_backup_data->meta_value);
188                    $file_name = basename($restore_path);
189                    $obj_backup_bank_restore = new backup_bank_restore($bb_backup_data_array, $restore_path);
190                    switch (sanitize_text_field($bb_backup_data_array["backup_type"])) {
191                       case "only_database":
192 $restore_ret = $obj_backup_bank_restore->backup_bank_restore_backup_db(untrailingslashit($bb_backup_data_array["folder_location"]) . "/" . $file_name);
193 break; 194