Suggestions for Next Update

  • Resolved danmont

    (@danmont)


    7 years, 11 months ago

    Thank you for this Awesome Plugin. I use it on all my sites.

    I ran a Plugin Inspector because I thought my site was hacked and I fund the flowing suggestions given with respect to Duplicator.

    Some of these ranger from Low to High Security Risk. Perhaps you could take a look at them on the next update.

    Unsafe/duplicator/views/tools/logging.php
    create_function at line 8:
    usort($logs, create_function(‘$a,$b’, ‘return filemtime($b) – filemtime($a);’));
    Potential risk: Low. Create an anonymous (lambda-style) function. A native anonymous function should be used instead.

    Unsafe/duplicator/classes/package.archive.zip.php
    file_get_contents at line 45:
    $json = file_get_contents(DUPLICATOR_SSDIR_PATH_TMP . “/{$archive->Package->NameHash}_scan.json”);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    Unsafe/duplicator/classes/package.database.php view source
    shell_exec at line 250:
    $output = shell_exec($cmd);
    Potential risk: High. Execute command via shell and return the complete output as a string.

    Unsafe/duplicator/classes/package.installer.php view source
    file_get_contents at line 44:
    $main_data = file_get_contents(“{$main_path}”);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    file_get_contents at line 72:
    $search_data = @file_get_contents($template_path);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    file_get_contents at line 73:
    $insert_data = @file_get_contents($file_path);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    file_get_contents at line 177:
    $q = file_get_contents($filename);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    Unsafe/duplicator/classes/utility.php view source
    shell_exec at line 240:
    if (!@shell_exec(‘echo duplicator’))
    Potential risk: High. Execute command via shell and return the complete output as a string.

    exec at line 283:
    $user = exec(‘whoami’);
    Potential risk: High. Execute almost any system program on the web server.
    shell_exec at line 366:
    if (shell_exec(‘hash zip 2>&1’) == NULL)
    Potential risk: High. Execute command via shell and return the complete output as a string.

    Unsafe/duplicator/installer/build/ajax.step1.php view source
    file_get_contents at line 179:
    $wpconfig = @file_get_contents(‘wp-config.php’, true);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    file_get_contents at line 248:
    $sql_file = @file_get_contents(‘database.sql’, true);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    file_get_contents at line 250:
    $sql_file = file_get_contents(‘installer-data.sql’, true);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    Unsafe/duplicator/installer/build/ajax.step2.php view source
    file_get_contents at line 210:
    $config_file = @file_get_contents(‘wp-config.php’, true);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    Unsafe/duplicator/installer/build/main.installer.php view source
    file_get_contents at line 52:
    $data = file_get_contents($filename);
    Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.

    Unsafe/duplicator/installer/build/classes/class.serializer.php view source
    create_function at line 119:
    $walk_function = create_function(‘&$str’, ‘$str = “$str“;’);
    Potential risk: Low. Create an anonymous (lambda-style) function. A native anonymous function should be used instead.

    base64_decode at line 209:
    if (base64_decode($row[$column], true)) {
    Potential risk: High. Decode data encoded with MIME base64. May be used to obfuscate (hide) malicious code. Often paired with eval function to execute malicious code.

    base64_decode at line 210:
    $decoded = base64_decode($row[$column], true);
    Potential risk: High. Decode data encoded with MIME base64. May be used to obfuscate (hide) malicious code. Often paired with eval function to execute malicious code.

    https://wordpress.org/plugins/duplicator/

Viewing 1 replies (of 1 total)
  • Cory Lamle

    (@corylamleorg)

    7 years, 11 months ago

    Hi @danmont,

    Thanks for the feedback! I did a quick scan on those items and none of them stand out as issues. The problem with many of those scanners is that usually can’t determine the input request vars very well, which on those calls are all pre-filtered. I will take another pass at it later to double check…

    Cheers~

Viewing 1 replies (of 1 total)
  • The topic ‘Suggestions for Next Update’ is closed to new replies.