Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313606 (2018-06-07 22:46:49)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:484 (show/hide source)
464                    $file_name = trailingslashit($location) . $archive_name . ".json";
465                    $file_url_path = trailingslashit(dirname(dirname($restore_path))) . "restore/" . $archive_name . ".json";
466  
467                    $result = 1;
468                    file_put_contents($file_name, "");
469                    $message = "{" . "\r\n";
470                    $message .= '"log": ' . '"Restoring Backup"' . ',' . "\r\n";
471                    $message .= '"perc": ' . $result . "\r\n";
472                    $message .= "}";
473                    file_put_contents($file_name, $message);
474  
475                    echo $file_url_path;
476                 }
477                 break;
478  
479              case "check_cloud_connection":
480                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_check_ftp_dropbox_connection")) {
481                    $backup_destination = isset($_REQUEST["backup_destination"]) ? base64_decode($_REQUEST["backup_destination"]) : "";
482                    $backup_type = isset($_REQUEST["type"]) ? sanitize_text_field($_REQUEST["type"]) : "";
483  
484 $archive_name = isset($_REQUEST["archive_name"]) ? base64_decode($_REQUEST["archive_name"]) : "";
485 $location = base64_decode(isset($_REQUEST["content_location"]) ? $_REQUEST["content_location"] : "") . base64_decode(isset($_REQUEST["folder_location"]) ? $_REQUEST["folder_location"] : ""); 486 !is_dir($location) ? wp_mkdir_p($location) : "";
Threat level 2

Callstack:

@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:583 (show/hide source)
563                              )
564                          );
565                          $google_drive_data_array = maybe_unserialize($google_drive_data);
566                          $obj_google_drive_backup_bank = new google_drive_backup_bank();
567                          $check = $obj_google_drive_backup_bank->google_drive_check_auth_token(sanitize_text_field($google_drive_data_array["client_id"]), sanitize_text_field($google_drive_data_array["secret_key"]), sanitize_text_field($google_drive_data_array["redirect_uri"]));
568                          if ($check == "601") {
569                             echo "601";
570                             die();
571                          }
572                          break;
573                    }
574  
575                    file_put_contents($file_name, "");
576                    $message = "{" . "\r\n";
577                    $message .= '"log": ' . '"Starting Backup"' . ',' . "\r\n";
578                    $message .= '"perc": ' . $result . ',' . "\r\n";
579                    $message .= '"status": ' . '"Starting"' . ',' . "\r\n";
580                    $message .= '"cloud": ' . '1' . "\r\n";
581                    $message .= "}";
582                    file_put_contents($file_name, $message);
583 echo untrailingslashit($file_url_path);
584 } 585 break;