Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313597 (2018-06-07 22:46:46)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_put_contents
Risk _REQUEST
/wp-backup-bank/lib/helper.php:1560 (show/hide source)
1540                    $count_zipfiles_added = $this->count_database_tables == "" ? 1 : $this->count_database_tables;
1541                    if ($this->restore_completed == "") {
1542                       $result = ceil($count_zipfiles_added / $zipfiles_batched_count * 98);
1543                    } else {
1544                       $result = $this->restore_completed;
1545                    }
1546                    break;
1547  
1548                 default:
1549                    $zipfiles_batched_count = $this->count_files == "" ? 98 : $this->count_files;
1550                    $count_zipfiles_added = $this->files_restored == "" ? 1 : $this->files_restored;
1551                    if ($this->restore_completed == "") {
1552                       $result = ceil($count_zipfiles_added / $zipfiles_batched_count * 98);
1553                    } else {
1554                       $result = $this->restore_completed;
1555                    }
1556              }
1557              $new_line = str_replace("\r\n", "", $line);
1558              @file_put_contents($this->json_file_name, "");
1559              $message = "{" . "\r\n";
1560 $message .= '"log": ' . '"' . $new_line . '"' . ',' . "\r\n";
1561 $message .= '"perc": ' . $result . "\r\n"; 1562 $message .= "}";
Threat level 2

Callstack:

backup_bank_restore::backup_bank_log /wp-backup-bank/lib/helper.php:1564 (show/hide source)
1544                       $result = $this->restore_completed;
1545                    }
1546                    break;
1547  
1548                 default:
1549                    $zipfiles_batched_count = $this->count_files == "" ? 98 : $this->count_files;
1550                    $count_zipfiles_added = $this->files_restored == "" ? 1 : $this->files_restored;
1551                    if ($this->restore_completed == "") {
1552                       $result = ceil($count_zipfiles_added / $zipfiles_batched_count * 98);
1553                    } else {
1554                       $result = $this->restore_completed;
1555                    }
1556              }
1557              $new_line = str_replace("\r\n", "", $line);
1558              @file_put_contents($this->json_file_name, "");
1559              $message = "{" . "\r\n";
1560              $message .= '"log": ' . '"' . $new_line . '"' . ',' . "\r\n";
1561              $message .= '"perc": ' . $result . "\r\n";
1562              $message .= "}";
1563  
1564 @file_put_contents($this->json_file_name, $message);
1565 } 1566 public function count_directories_backup_bank($full_filepath) {
backup_bank_restore::backup_bank_restore_backup_db /wp-backup-bank/lib/helper.php:2014 (show/hide source)
1994              $import_table_prefix = $wpdb->prefix;
1995  
1996              if (@ini_get("safe_mode") && "off" != strtolower(@ini_get("safe_mode"))) {
1997                 $this->backup_bank_log(" Warning: PHP safe_mode is active on your server. Timeouts are much more likely. If these happen, then you will need to manually restore the file via phpMyAdmin or another method.\r\n");
1998              }
1999  
2000              $is_plain = (substr($working_dir_localpath, -3, 3) == "sql");
2001              $is_zip = (substr($working_dir_localpath, -7, 7) == "sql.zip");
2002  
2003              if ($is_plain) {
2004                 $dbhandle = fopen($working_dir_localpath, "r");
2005              } elseif ($is_zip) {
2006                 $zip = new Backup_bank_PclZip();
2007                 $zip->extract($working_dir_localpath, dirname($working_dir_localpath));
2008                 $working_dir_localpath = str_replace(".sql.zip", ".sql", $working_dir_localpath);
2009                 $dbhandle = fopen($working_dir_localpath, "r");
2010              } else {
2011                 $dbhandle = gzopen($working_dir_localpath, "r");
2012              }
2013              if (!$dbhandle) {
2014 $this->backup_bank_log("Database File <b>$working_dir_localpath</b> has been Failed to open.\r\n");
2015 $this->restore_status = "restore_terminated"; 2016 return $this->restore_status;
@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:192 (show/hide source)
172                 break;
173  
174              case "backup_bank_manage_backups_module":
175                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_manage_backups")) {
176                    $backup_id = isset($_REQUEST["id"]) ? intval($_REQUEST["id"]) : "";
177                    $restore_path = isset($_REQUEST["restore_path"]) ? sanitize_text_field($_REQUEST["restore_path"]) : "";
178  
179                    $bb_backup_data = $wpdb->get_row
180                        (
181                        $wpdb->prepare
182                            (
183                            "SELECT meta_key,meta_value FROM " . backup_bank_meta() .
184                            " WHERE meta_id = %d", $backup_id
185                        )
186                    );
187                    $bb_backup_data_array = maybe_unserialize($bb_backup_data->meta_value);
188                    $file_name = basename($restore_path);
189                    $obj_backup_bank_restore = new backup_bank_restore($bb_backup_data_array, $restore_path);
190                    switch (sanitize_text_field($bb_backup_data_array["backup_type"])) {
191                       case "only_database":
192 $restore_ret = $obj_backup_bank_restore->backup_bank_restore_backup_db(untrailingslashit($bb_backup_data_array["folder_location"]) . "/" . $file_name);
193 break; 194