WordPress.org

Ready to get started?Download WordPress

Forums

Snapshot Backup
ftp_connect errors in PHP error log (4 posts)

  1. AITpro
    Member
    Posted 2 years ago #

    Hello,

    php error:
    [20-Aug-2011 16:56:16] PHP Warning: ftp_connect() [function.ftp-connect]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home1/xxxxxx/public_html/wp-content/plugins/snapshot-backup/includes/sendaway.php on line 13

    I noticed php errors were occurring every 1 to 2 minutes in a php error log on a site that i am looking at. The frequency of the ftp_connect errors is in minutes below for a series of these ftp_connect errors was:
    1:46
    1:00
    1:37
    1:31
    1:23
    1:35
    1:59
    This particular site did not have ftp info added (password, etc) and was not set to automatically perform snapshot backups - ie Do not perform automatic backups.

    What concerns me is that when i look at the coding in /includes/sendaway.php is that i do not see any security checking in the code. I see this >>> // connect to host
    $conn = ftp_connect($host);

    but shouldn't there be some security checking going on here?
    if (current_user_can('manage_options')) {
    The WordPress Settings API that this plugin is using for DB options does perform security checking (nonce) automatically, but still shouldn't there be a security check here to make sure the ftp_connect function cannot be executed by anyone that is does not have manage_options or other admin permissions? Thanks.

    http://wordpress.org/extend/plugins/snapshot-backup/

  2. Jay Versluis
    Member
    Plugin Author

    Posted 2 years ago #

    Good point..

    I've implemented this check at the beginning of the plugin once, but not explicitly before every single command execution.

    I'm not a PHP coder so any help on making this thing better is appreciated.

  3. AITpro
    Member
    Posted 2 years ago #

    I downloaded the latest version and see the new code you added, but this only blocks someone from accessing snapshot-backup.php directly.

    I simpler way to accomplish this is to put this at that top of all your plugin pages.

    // Direct calls to this file are Forbidden when core files are not present
    if ( !function_exists('add_action') ){
    header('Status: 403 Forbidden');
    header('HTTP/1.1 403 Forbidden');
    exit();
    }

    if ( !current_user_can('manage_options') ){
    header('Status: 403 Forbidden');
    header('HTTP/1.1 403 Forbidden');
    exit();
    }

    You should be checking the referrer and have nonces on all your forms, except for the forms that are using the WordPress Settings API.

    if (isset($_POST['bps-view-phpinfo']) && current_user_can('manage_options')) {
    check_admin_referer( 'bps-view-phpinfo-check' );

    Then in your form add this
    <?php wp_nonce_field('bps-view-phpinfo-check'); ?>

    You still have not secured the sendaway.php file. It is very, very easy to hack. :(

    // connect to host
    $conn = ftp_connect($host);

    Change it to this

    // If in WP Dashboard or Admin Panels
    if ( is_admin() ) {
    // If user has WP manage options permissions
    if ( current_user_can('manage_options')) {
    // connect to host ONLY if the 2 security conditions are valid / met
    $conn = ftp_connect($host);

    You need to do this kind of security checking throughout your coding. It is better to do security overkill then to not have every single potentially dangerous vulnerability secured.
    Thanks,
    Ed

  4. milican
    Member
    Posted 2 years ago #

    I am having the same problem. Thanks for the effort with the plugin, but I'm deleting until the security issues above are addressed. I have experienced the errors above, and will try again later.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic