Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313610 (2018-06-07 22:46:49)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _REQUEST
/wp-backup-bank/lib/action-library.php:484 (show/hide source)
464                    $file_name = trailingslashit($location) . $archive_name . ".json";
465                    $file_url_path = trailingslashit(dirname(dirname($restore_path))) . "restore/" . $archive_name . ".json";
466  
467                    $result = 1;
468                    file_put_contents($file_name, "");
469                    $message = "{" . "\r\n";
470                    $message .= '"log": ' . '"Restoring Backup"' . ',' . "\r\n";
471                    $message .= '"perc": ' . $result . "\r\n";
472                    $message .= "}";
473                    file_put_contents($file_name, $message);
474  
475                    echo $file_url_path;
476                 }
477                 break;
478  
479              case "check_cloud_connection":
480                 if (wp_verify_nonce(isset($_REQUEST["_wp_nonce"]) ? $_REQUEST["_wp_nonce"] : "", "backup_bank_check_ftp_dropbox_connection")) {
481                    $backup_destination = isset($_REQUEST["backup_destination"]) ? base64_decode($_REQUEST["backup_destination"]) : "";
482                    $backup_type = isset($_REQUEST["type"]) ? sanitize_text_field($_REQUEST["type"]) : "";
483  
484 $archive_name = isset($_REQUEST["archive_name"]) ? base64_decode($_REQUEST["archive_name"]) : "";
485 $location = base64_decode(isset($_REQUEST["content_location"]) ? $_REQUEST["content_location"] : "") . base64_decode(isset($_REQUEST["folder_location"]) ? $_REQUEST["folder_location"] : ""); 486 !is_dir($location) ? wp_mkdir_p($location) : "";
Threat level 2

Callstack:

@INLINE::/wp-backup-bank/lib/action-library.php /wp-backup-bank/lib/action-library.php:714 (show/hide source)
694                          );
695                          $google_drive_data_array = maybe_unserialize($google_drive_data);
696                          if (sanitize_text_field($google_drive_data_array["backup_to_google_drive"]) == "disable") {
697                             echo "600";
698                             die();
699                          }
700                          $obj_google_drive_backup_bank = new google_drive_backup_bank();
701                          $check = $obj_google_drive_backup_bank->google_drive_check_auth_token(sanitize_text_field($google_drive_data_array["client_id"]), sanitize_text_field($google_drive_data_array["secret_key"]), sanitize_text_field($google_drive_data_array["redirect_uri"]));
702                          if ($check == "601") {
703                             echo "601";
704                             die();
705                          }
706                          break;
707                    }
708                    $message = "{" . "\r\n";
709                    $message .= '"log": ' . '"Re-running Backup"' . ',' . "\r\n";
710                    $message .= '"perc": ' . $result . "\r\n";
711                    $message .= '"cloud": ' . '1' . "\r\n";
712                    $message .= "}";
713                    file_put_contents($file_name, $message);
714 echo $file_url_path;
715 } 716 break;