Support » Plugin: Snapshot Backup » [Plugin: Snapshot Backup] ftp_connect errors in PHP error log

  • Hello,

    php error:
    [20-Aug-2011 16:56:16] PHP Warning: ftp_connect() [function.ftp-connect]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home1/xxxxxx/public_html/wp-content/plugins/snapshot-backup/includes/sendaway.php on line 13

    I noticed php errors were occurring every 1 to 2 minutes in a php error log on a site that i am looking at. The frequency of the ftp_connect errors is in minutes below for a series of these ftp_connect errors was:
    This particular site did not have ftp info added (password, etc) and was not set to automatically perform snapshot backups – ie Do not perform automatic backups.

    What concerns me is that when i look at the coding in /includes/sendaway.php is that i do not see any security checking in the code. I see this >>> // connect to host
    $conn = ftp_connect($host);

    but shouldn’t there be some security checking going on here?
    if (current_user_can(‘manage_options’)) {
    The WordPress Settings API that this plugin is using for DB options does perform security checking (nonce) automatically, but still shouldn’t there be a security check here to make sure the ftp_connect function cannot be executed by anyone that is does not have manage_options or other admin permissions? Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Jay Versluis


    Good point..

    I’ve implemented this check at the beginning of the plugin once, but not explicitly before every single command execution.

    I’m not a PHP coder so any help on making this thing better is appreciated.

    I downloaded the latest version and see the new code you added, but this only blocks someone from accessing snapshot-backup.php directly.

    I simpler way to accomplish this is to put this at that top of all your plugin pages.

    // Direct calls to this file are Forbidden when core files are not present
    if ( !function_exists(‘add_action’) ){
    header(‘Status: 403 Forbidden’);
    header(‘HTTP/1.1 403 Forbidden’);

    if ( !current_user_can(‘manage_options’) ){
    header(‘Status: 403 Forbidden’);
    header(‘HTTP/1.1 403 Forbidden’);

    You should be checking the referrer and have nonces on all your forms, except for the forms that are using the WordPress Settings API.

    if (isset($_POST[‘bps-view-phpinfo’]) && current_user_can(‘manage_options’)) {
    check_admin_referer( ‘bps-view-phpinfo-check’ );

    Then in your form add this
    <?php wp_nonce_field(‘bps-view-phpinfo-check’); ?>

    You still have not secured the sendaway.php file. It is very, very easy to hack. 🙁

    // connect to host
    $conn = ftp_connect($host);

    Change it to this

    // If in WP Dashboard or Admin Panels
    if ( is_admin() ) {
    // If user has WP manage options permissions
    if ( current_user_can(‘manage_options’)) {
    // connect to host ONLY if the 2 security conditions are valid / met
    $conn = ftp_connect($host);

    You need to do this kind of security checking throughout your coding. It is better to do security overkill then to not have every single potentially dangerous vulnerability secured.

    I am having the same problem. Thanks for the effort with the plugin, but I’m deleting until the security issues above are addressed. I have experienced the errors above, and will try again later.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: Snapshot Backup] ftp_connect errors in PHP error log’ is closed to new replies.