Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313596 (2018-06-07 22:46:46)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::fwrite
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:177 (show/hide source)
157                    $update_email_setting_data = array();
158                    $update_email_setting_data["backup_to_email"] = sanitize_text_field($email_settings_form_data["ux_ddl_email_settings_enable_disable"]);
159                    $update_email_setting_data["email_address"] = sanitize_text_field($email_settings_form_data["ux_txt_email_address"]);
160                    $update_email_setting_data["cc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_cc"]);
161                    $update_email_setting_data["bcc_email"] = sanitize_text_field($email_settings_form_data["ux_txt_email_bcc"]);
162                    $update_email_setting_data["email_subject"] = sanitize_text_field($email_settings_form_data["ux_txt_email_subject"]);
163                    $update_email_setting_data["email_message"] = htmlspecialchars_decode($email_settings_form_data["ux_txt_email_settings_message"]);
164  
165                    $email_setting_data = array();
166                    $where = array();
167                    $where["meta_id"] = isset($bb_email_settings_id) ? intval($bb_email_settings_id) : 0;
168                    $where["meta_key"] = "email_settings";
169                    $email_setting_data["meta_value"] = serialize($update_email_setting_data);
170                    $obj_dbHelper_backup_bank->updateCommand(backup_bank_meta(), $email_setting_data, $where);
171                 }
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177 $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178 179 $bb_backup_data = $wpdb->get_row
Threat level 2

Callstack:

backup_bank_restore::backup_bank_log /wp-backup-bank/lib/helper.php:1520 (show/hide source)
1500                       $this->files_restored++;
1501                       if ($this->files_restored % 100 == 0) {
1502                          $this->backup_bank_log("<b>" . $this->files_restored . "</b> Files has been Restored.\r\n");
1503                       }
1504                    }
1505                 }
1506              }
1507              closedir($dir);
1508           }
1509           public function open_logfile_backup_bank($logfile_name) {
1510              $this->logfile_name = $logfile_name;
1511              $this->logfile_handle = fopen($this->logfile_name, "a");
1512              $this->opened_log_time = microtime(true);
1513              $this->backup_bank_log("Log file opened on " . date("r") . " on " . network_site_url() . "\r\n");
1514              global $wpdb, $wp_version;
1515              $this->restore_microtime_start = microtime(true);
1516           }
1517           public function backup_bank_log($line) {
1518              if ($this->logfile_handle) {
1519                 $rtime = microtime(true) - $this->opened_log_time;
1520 fwrite($this->logfile_handle, sprintf("%08.03f", round($rtime, 3)) . " " . strip_tags($line));
1521 } 1522
backup_bank_restore::backup_bank_restore_backup_db /wp-backup-bank/lib/helper.php:2014 (show/hide source)
1994              $import_table_prefix = $wpdb->prefix;
1995  
1996              if (@ini_get("safe_mode") && "off" != strtolower(@ini_get("safe_mode"))) {
1997                 $this->backup_bank_log(" Warning: PHP safe_mode is active on your server. Timeouts are much more likely. If these happen, then you will need to manually restore the file via phpMyAdmin or another method.\r\n");
1998              }
1999  
2000              $is_plain = (substr($working_dir_localpath, -3, 3) == "sql");
2001              $is_zip = (substr($working_dir_localpath, -7, 7) == "sql.zip");
2002  
2003              if ($is_plain) {
2004                 $dbhandle = fopen($working_dir_localpath, "r");
2005              } elseif ($is_zip) {
2006                 $zip = new Backup_bank_PclZip();
2007                 $zip->extract($working_dir_localpath, dirname($working_dir_localpath));
2008                 $working_dir_localpath = str_replace(".sql.zip", ".sql", $working_dir_localpath);
2009                 $dbhandle = fopen($working_dir_localpath, "r");
2010              } else {
2011                 $dbhandle = gzopen($working_dir_localpath, "r");
2012              }
2013              if (!$dbhandle) {
2014 $this->backup_bank_log("Database File <b>$working_dir_localpath</b> has been Failed to open.\r\n");
2015 $this->restore_status = "restore_terminated"; 2016 return $this->restore_status;
@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:192 (show/hide source)
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177                    $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178  
179                    $bb_backup_data = $wpdb->get_row
180                        (
181                        $wpdb->prepare
182                            (
183                            "SELECT meta_key,meta_value FROM " . backup_bank_meta() .
184                            " WHERE meta_id = %d", $backup_id
185                        )
186                    );
187                    $bb_backup_data_array = maybe_unserialize($bb_backup_data->meta_value);
188                    $file_name = basename($restore_path);
189                    $obj_backup_bank_restore = new backup_bank_restore($bb_backup_data_array, $restore_path);
190                    switch (sanitize_text_field($bb_backup_data_array["backup_type"])) {
191                       case "only_database":
192 $restore_ret = $obj_backup_bank_restore->backup_bank_restore_backup_db(untrailingslashit($bb_backup_data_array["folder_location"]) . "/" . $file_name);
193 break; 194