False Positive on plugin code

Home Forums Support Forum False Positive on plugin code

This topic contains 6 replies, has 2 voices, and was last updated by  Paul Wayne 7 years ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #1972

    Paul Wayne
    Member

    Hello,

    Not a big deal, but just thought I would inform you of a false positive on a plugin recently.  The following code was flagged by GOTML:

    // Custom conditionalif ( $assignment['type'] == ‘custom’ ) {$process = ‘if (‘.htmlspecialchars_decode($assignment['id']).’) $id = $assignment["post_slug"];’;eval( $process );}

    The developer responded that it is not malware:

    Yes this is a valid code and it is not malware. The call to eval() allows you to set the “custom conditional” assignments from Appearance > Widget Areas.

    #1973

    Anti-Malware Admin
    Key Master

    Two things: First, that line looks to be rem’d out and not used anyway, so it should probably just be removed; And second, this code by itself is not even detected as a Known Threat, so there must have been more code around this line that was a contribution factor in the identification of this threat.

    Can you please send me this file in it’s entirety so that I can examine what caused it to be detected and update the definition if needed?

    #1977

    Paul Wayne
    Member

    Sorry, when I did the cut and past of the code, I screwed up the comment line.

    The name of the plugin is Widget Areas by ThemeBlvd.

    https://wordpress.org/plugins/theme-blvd-widget-areas/

    Here is the code correctly formatted.  (Line 341) Also, link to the entire file below.

    // Custom conditional

    if ( $assignment['type'] == ‘custom’ ) {

    $process = ‘if (‘.htmlspecialchars_decode($assignment['id']).’) $id = $assignment["post_slug"];’;

    eval( $process );

    }

    FILE:

    https://drive.google.com/file/d/1E_9jxb1JFn_iPwPUsr3o5AozfrytHL5X/view?usp=sharing

     

    #1978

    Anti-Malware Admin
    Key Master

    Thanks for the entire file. I can see that this use of the eval function is not malicious but I also still don’t see this file detected as a known threat in my current definitions. Can you please click on the file name on the scan results page and then hover over the numbered link above the file contents so that you can see the name on the threat?

    Then can you please send me this info or a screenshot of it, and also your definition version and your php version (found on the right-hand side)?

    #1979

    Paul Wayne
    Member

    Screen shot, as requested.

    Note that the scan was run on 11-27-2017. So whatever was the newest version of the definitions was run at that time.

    https://drive.google.com/file/d/1G-HAORy02dbTGK3ltPlWGa7qH2IWuhQP/view?usp=sharing

    I ran GOTMLS on a different site today, that has the same theme and plug.  No malware reported.  Here is the configuration on that site.  Note it is using PHP 5.6

    PHP:5.6.32
    LiteSpeed
    WordPress:4.8.4
    Plugin:4.17.44
    Definitions:HC79S

    #1980

    Anti-Malware Admin
    Key Master

    Right, so that False Positive was already corrected on the 5th of this month (after you ran that scan last month). It is now fixed so that if you restore that file from the quarantine and then run the scan again it will not flag it as a Known Threat.

    #1981

    Paul Wayne
    Member

    Confirmed – Fix worked

    Restored file.

    Ran scan with newest version.  No malware.

    Thank you for checking this out.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

Comments are closed.