Project: Wordpress Plugin Backup Bank: WordPress Backup Plugin 4.0.21

Vulnerability: #8313613 (2018-06-07 22:46:50)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _REQUEST
/wp-backup-bank/includes/queries.php:256 (show/hide source)
236                 break;
237  
238              case "bb_amazons3_settings":
239                 $amazons3_settings_data = $wpdb->get_var
240                     (
241                     $wpdb->prepare
242                         (
243                         "SELECT meta_value FROM " . backup_bank_meta() .
244                         " WHERE meta_key=%s", "amazons3_settings"
245                     )
246                 );
247                 $amazons3_settings_data_array = maybe_unserialize($amazons3_settings_data);
248                 break;
249  
250              case "bb_dropbox_settings":
251                 $obj_dbHelper_backup_bank = new dbHelper_backup_bank();
252                  if(isset($_REQUEST["code"]))
253                  {
254                      $backup_bank_dropbox_array = get_option("backup_bank_dropbox_array");
255                      $obj_dropbox_backup_bank = new dropbox_backup_bank();
256 $code = $_REQUEST["code"];
257 $obj_dropbox = $obj_dropbox_backup_bank->dropbox_client($backup_bank_dropbox_array["api_key"],$backup_bank_dropbox_array["secret_key"]); 258 $access_token = $obj_dropbox->GetBearerToken($code,admin_url()."admin.php?page=bb_dropbox_settings");
Threat level 1

Callstack:

DropboxClient::createRequestContext /wp-backup-bank/lib/dropbox/dropbox-client.php:715 (show/hide source)
695  		return $res;
696  	}
697  
698  	/**
699  	 * @param $url string
700  	 * @param $params
701  	 * @param string $content
702  	 * @param int $bearer_token
703  	 *
704  	 * @return resource
705  	 */
706  	private function createRequestContext( $url, $params, &$content = "", $bearer_token = - 1 ) {
707  		if ( $bearer_token === - 1 ) {
708  			$bearer_token = $this->accessToken['t'];
709  		}
710  
711  		$http_context = array( 'method' => "POST", 'header' => '', 'content' => '' );
712  
713  		if ( strpos( $url, '/oauth2/token' ) !== false ) {
714  			$http_context['header']  .= "Content-Type: application/x-www-form-urlencoded\r\n";
715 $http_context['content'] = http_build_query( $params );
716 } else { 717
DropboxClient::doSingleCall /wp-backup-bank/lib/dropbox/dropbox-client.php:781 (show/hide source)
761  	) {
762  		if ( ! empty( $resp->error ) ) {
763  			throw new DropboxException( $resp, $context );
764  		}
765  
766  		return $resp;
767  	}
768  
769  
770  	/**
771  	 * @param string $path
772  	 * @param array $params
773  	 * @param bool $content_call
774  	 * @param string $content
775  	 *
776  	 * @return object
777  	 * @throws DropboxException
778  	 */
779  	private function doSingleCall( $path, $params = array(), $content_call = false, &$content = null ) {
780  		$url     = self::cleanUrl( ( $content_call ? self::API_CONTENT_URL : self::API_URL ) . $path );
781 $context = $this->createRequestContext( $url, $params, $content );
782 783 $json = $this->useCurl ? self::execCurlAndClose( $context ) : file_get_contents( $url, false, $context );
DropboxClient::apiCall /wp-backup-bank/lib/dropbox/dropbox-client.php:842 (show/hide source)
822  	 *
823  	 * @return object
824  	 * @throws DropboxException
825  	 */
826  	private
827  	function apiCall(
828  		$path, $params = array(), $content_call = false, &$content = null
829  	) {
830  		$resp = $this->doSingleCall( $path, $params, $content_call, $content );
831  
832  		// check for 'has_more' and run /continue requests
833  		if ( ! empty( $resp->has_more ) && strpos( $path, '/continue' ) === false ) {
834  			$path .= '/continue';
835  		}
836  
837  		while ( ! $content_call && ! empty( $resp->has_more ) ) {
838  			if ( empty( $resp->cursor ) ) {
839  				throw new DropboxException( "Unexpected response from $path: has_more without cursor!" );
840  			}
841  			$params['cursor'] = is_string( $resp->cursor ) ? $resp->cursor : $resp->cursor->value;
842 self::mergeContinue( $resp, $this->doSingleCall( $path, $params, $content_call, $content ) );
843 } 844
DropboxClient::GetBearerToken /wp-backup-bank/lib/dropbox/dropbox-client.php:161 (show/hide source)
141  		if ( empty( $code ) ) {
142  			$code = filter_input( INPUT_GET, 'code', FILTER_SANITIZE_STRING );
143  			if ( empty( $code ) ) {
144  				throw new DropboxException( 'Missing OAuth2 code parameter!' );
145  			}
146  		}
147  
148  		if ( ! empty( $redirect_uri ) ) {
149  			$this->_redirectUri = $redirect_uri;
150  		}
151  
152  		if ( empty( $this->_redirectUri ) ) {
153  			throw new DropboxException( 'Redirect URI unknown, please specify or call BuildAuthorizeUrl() before!' );
154  		}
155  
156  		$res = $this->apiCall( "oauth2/token", array(
157  			'code'          => $code,
158  			'grant_type'    => 'authorization_code',
159  			'client_id'     => $this->appParams['app_key'],
160  			'client_secret' => $this->appParams['app_secret'],
161 'redirect_uri' => $this->_redirectUri
162 ) ); 163
@INLINE::/wp-backup-bank/includes/queries.php /wp-backup-bank/includes/queries.php:258 (show/hide source)
238              case "bb_amazons3_settings":
239                 $amazons3_settings_data = $wpdb->get_var
240                     (
241                     $wpdb->prepare
242                         (
243                         "SELECT meta_value FROM " . backup_bank_meta() .
244                         " WHERE meta_key=%s", "amazons3_settings"
245                     )
246                 );
247                 $amazons3_settings_data_array = maybe_unserialize($amazons3_settings_data);
248                 break;
249  
250              case "bb_dropbox_settings":
251                 $obj_dbHelper_backup_bank = new dbHelper_backup_bank();
252                  if(isset($_REQUEST["code"]))
253                  {
254                      $backup_bank_dropbox_array = get_option("backup_bank_dropbox_array");
255                      $obj_dropbox_backup_bank = new dropbox_backup_bank();
256                      $code = $_REQUEST["code"];
257                      $obj_dropbox = $obj_dropbox_backup_bank->dropbox_client($backup_bank_dropbox_array["api_key"],$backup_bank_dropbox_array["secret_key"]);
258 $access_token = $obj_dropbox->GetBearerToken($code,admin_url()."admin.php?page=bb_dropbox_settings");
259 $obj_dropbox_backup_bank->store_token($access_token, "access"); 260 $bb_dropbox_settings_id = $wpdb->get_var