Hello,
Not a big deal, but just thought I would inform you of a false positive on a plugin recently. The following code was flagged by GOTML:
// Custom conditionalif ( $assignment['type'] == ‘custom’ ) {$process = ‘if (‘.htmlspecialchars_decode($assignment['id']).’) $id = $assignment["post_slug"];’;eval( $process );}
The developer responded that it is not malware:
Yes this is a valid code and it is not malware. The call to eval() allows you to set the “custom conditional” assignments from Appearance > Widget Areas.
Two things: First, that line looks to be rem’d out and not used anyway, so it should probably just be removed; And second, this code by itself is not even detected as a Known Threat, so there must have been more code around this line that was a contribution factor in the identification of this threat.
Can you please send me this file in it’s entirety so that I can examine what caused it to be detected and update the definition if needed?
Sorry, when I did the cut and past of the code, I screwed up the comment line.
The name of the plugin is Widget Areas by ThemeBlvd.
https://wordpress.org/plugins/theme-blvd-widget-areas/
Here is the code correctly formatted. (Line 341) Also, link to the entire file below.
// Custom conditional
if ( $assignment['type'] == ‘custom’ ) {
$process = ‘if (‘.htmlspecialchars_decode($assignment['id']).’) $id = $assignment["post_slug"];’;
eval( $process );
}
FILE:
https://drive.google.com/file/d/1E_9jxb1JFn_iPwPUsr3o5AozfrytHL5X/view?usp=sharing
Thanks for the entire file. I can see that this use of the eval function is not malicious but I also still don’t see this file detected as a known threat in my current definitions. Can you please click on the file name on the scan results page and then hover over the numbered link above the file contents so that you can see the name on the threat?
Then can you please send me this info or a screenshot of it, and also your definition version and your php version (found on the right-hand side)?
Screen shot, as requested.
Note that the scan was run on 11-27-2017. So whatever was the newest version of the definitions was run at that time.
https://drive.google.com/file/d/1G-HAORy02dbTGK3ltPlWGa7qH2IWuhQP/view?usp=sharing
I ran GOTMLS on a different site today, that has the same theme and plug. No malware reported. Here is the configuration on that site. Note it is using PHP 5.6
PHP:5.6.32
LiteSpeed
WordPress:4.8.4
Plugin:4.17.44
Definitions:HC79S
Right, so that False Positive was already corrected on the 5th of this month (after you ran that scan last month). It is now fixed so that if you restore that file from the quarantine and then run the scan again it will not flag it as a Known Threat.
Confirmed – Fix worked
Restored file.
Ran scan with newest version. No malware.
Thank you for checking this out.
