Suggestions for Next Update
-
Thank you for this Awesome Plugin. I use it on all my sites.
I ran a Plugin Inspector because I thought my site was hacked and I fund the flowing suggestions given with respect to Duplicator.
Some of these ranger from Low to High Security Risk. Perhaps you could take a look at them on the next update.
Unsafe/duplicator/views/tools/logging.php
create_function at line 8:
usort($logs, create_function(‘$a,$b’, ‘return filemtime($b) – filemtime($a);’));
Potential risk: Low. Create an anonymous (lambda-style) function. A native anonymous function should be used instead.Unsafe/duplicator/classes/package.archive.zip.php
file_get_contents at line 45:
$json = file_get_contents(DUPLICATOR_SSDIR_PATH_TMP . “/{$archive->Package->NameHash}_scan.json”);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.Unsafe/duplicator/classes/package.database.php view source
shell_exec at line 250:
$output = shell_exec($cmd);
Potential risk: High. Execute command via shell and return the complete output as a string.Unsafe/duplicator/classes/package.installer.php view source
file_get_contents at line 44:
$main_data = file_get_contents(“{$main_path}”);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.file_get_contents at line 72:
$search_data = @file_get_contents($template_path);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.file_get_contents at line 73:
$insert_data = @file_get_contents($file_path);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.file_get_contents at line 177:
$q = file_get_contents($filename);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.Unsafe/duplicator/classes/utility.php view source
shell_exec at line 240:
if (!@shell_exec(‘echo duplicator’))
Potential risk: High. Execute command via shell and return the complete output as a string.exec at line 283:
$user = exec(‘whoami’);
Potential risk: High. Execute almost any system program on the web server.
shell_exec at line 366:
if (shell_exec(‘hash zip 2>&1’) == NULL)
Potential risk: High. Execute command via shell and return the complete output as a string.Unsafe/duplicator/installer/build/ajax.step1.php view source
file_get_contents at line 179:
$wpconfig = @file_get_contents(‘wp-config.php’, true);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.file_get_contents at line 248:
$sql_file = @file_get_contents(‘database.sql’, true);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.file_get_contents at line 250:
$sql_file = file_get_contents(‘installer-data.sql’, true);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.Unsafe/duplicator/installer/build/ajax.step2.php view source
file_get_contents at line 210:
$config_file = @file_get_contents(‘wp-config.php’, true);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.Unsafe/duplicator/installer/build/main.installer.php view source
file_get_contents at line 52:
$data = file_get_contents($filename);
Potential risk: Medium. Read entire file into a string. May be used to load malicious code from the external source/website without any restrictions.Unsafe/duplicator/installer/build/classes/class.serializer.php view source
create_function at line 119:
$walk_function = create_function(‘&$str’, ‘$str = “$str
“;’);
Potential risk: Low. Create an anonymous (lambda-style) function. A native anonymous function should be used instead.base64_decode at line 209:
if (base64_decode($row[$column], true)) {
Potential risk: High. Decode data encoded with MIME base64. May be used to obfuscate (hide) malicious code. Often paired with eval function to execute malicious code.base64_decode at line 210:
$decoded = base64_decode($row[$column], true);
Potential risk: High. Decode data encoded with MIME base64. May be used to obfuscate (hide) malicious code. Often paired with eval function to execute malicious code.
- The topic ‘Suggestions for Next Update’ is closed to new replies.