False positives with the Redux Framework

  • Resolved ginmi

    (@ginmi)


    9 years, 3 months ago

    I’ve recently installed a theme on my site which recommends the use of the Redux framework plugin which I have also installed.

    The first scan Wordfence run on my site after the new theme was applied, I received the following warning:

    This file may contain malicious executable code:
    …/wp-content/themes/evolve/library/admin/redux-extensions/extensions/vendor_support/vendor/ace_editor/mode-php.js

    This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code.

    I posted this issue in the support forums and both the theme creator and the lead developer of Redux assured me it was a false positive.

    The lead developer of Redux further added:

    First, Ace Editor is an open source project used by endless companies on the net. You can see details about it here: https://ace.c9.io/

    The Wordfence is giving a PHP flag error for a JavaScript file, which means it’s just mass searching for strings using regex. If you search the source of the file in question (https://github.com/ajaxorg/ace/blob/master/lib/ace/mode/php/php.js). you’ll see that there is NO eval() anywhere, but there is reference to the EVAL name. Which means they’re just searching for eval, not eval( or eval (.

    My suggestion is you contact Wordfence and suggest to them to improve their regex, so that something as simple as this does not cause an error. For truly, this is a false alarm.

    You might want to take a look at fixing this as the Redux framework is relatively widely used and you don’t wanna scare people for no reason.

    https://www.ads-software.com/plugins/wordfence/

Viewing 15 replies - 1 through 15 (of 18 total)
  • Plugin Author WFMattR

    (@wfmattr)

    Thanks for reporting this, we don’t see many false positives.

    I tried installing the same theme here, and verified that I have the file mentioned above, but I don’t get a warning in Wordfence when I run a scan, even if I enable “high sensitivity” on the Options page.

    Are you using the latest version of Wordfence, 6.0.15?

    If this is happening in the latest version of Wordfence, please email me these two things:
    1. A copy of the “mode-php.js” file from your server
    2. Your Wordfence settings (detailed below)

    My email address is: mattr [at] wordfence.com

    To export your Wordfence settings to send to me, go to the Wordfence Options page, scroll to the bottom, and click the Export Wordfence Settings button. This will give you a very long “token” of letters and numbers, which will let me use the same settings that you have. Just paste that in the body of the email.

    Once I get your email, I will check it out. Thanks!

    @wfmattr – Lead dev of Redux here. Let me know if there’s anything on my end we can do. ??

    Plugin Author WFMattR

    (@wfmattr)

    Dovy: Great, thanks for the offer! Can you tell me if you just added Ace Editor in your latest release? Or if not, was it just updated to a new version in this release?

    Plugin Author WFMattR

    (@wfmattr)

    I’ve submitted this to the dev team to check out, and did reproduce the problem here. It only happens when Wordfence is set to be more strict and include .js, images, and other files in the scans for PHP issues. (This option is available because some hacks rely on uploaded files that are not PHP files, but contain PHP code.)

    Received this same error only after updating the Redux Framework to 3.5.8.1

    Scan ran last night and pointed out this same file as containing malicious malware:

    wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js

    So this is a false positive I can ignore, correct?

    Yea, that’s typical. The ace-editor throws some flags. It’s completely safe though. You can check out the actual project: https://ace.c9.io/ We just embed it within Redux. ??

    Plugin Author WFMattR

    (@wfmattr)

    @dovy: Thanks for the quick reply!

    @codyecp: If you mark this file as fixed on the Wordfence scan page, and then run another scan manually, does it still appear? I’ve tried scanning with the strict options enabled and disabled while the Redux plugin is installed, and tried turning some of the other related options on and off, and haven’t seen any warnings on two servers.

    This issue is a little different from the original request, where it was the Redux framework bundled in the Evolve theme, while this one is the Redux plugin. There was a fix in a recent version of Wordfence for scanning themes, which seems to have fixed the original issue with the false positive in the theme.

    Thanks!

    -Matt R

    Just marked as fixed, ran the scanner and it comes out clean (no false positive).

    ??

    Plugin Author WFMattR

    (@wfmattr)

    Ok, then it looks like the scan must have been run between when the new version of the plugin was released, and the time when the Wordfence scanning servers processed it. For files that are scanned during that period, Wordfence will do a more thorough scan, since it cannot verify that the file isn’t modified from the original version.

    Once the scanning server has processed the file after a new release, the warning should not happen again.

    I’ve mentioned the issue to the dev team, so if there is a way to prevent this in the future, without missing malicious files I’m sure it will be implemented. Unfortunately, PHP is very flexible in what it allows near “eval” and other keywords and functions (even comments between “eval” and its open parentheses), so it doesn’t look like the regex could be refined without making it extremely slow for the volume of files that are scanned.

    It should be fairly rare that this happens, but still may come up from time to time.

    -Matt R

    Hi,

    I’ve got the same warning

    Alert generated at Friday 22nd of April 2016 at 08:30:21 AM

    Critical Problems:

    * File appears to be malicious: wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js

    Latest versions of the WP and plugin in use.

    May I ignore this alert?

    Thanks

    File appears to be malicious: wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js
    Filename: wp-content/plugins/redux-framework/ReduxCore/inc/fields/ace_editor/vendor/mode-php.js
    File type: Not a core, theme or plugin file.
    Issue first detected: 55 mins ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “EvalError|InternalError|RangeError|ReferenceError|StopIteration|SyntaxError|TypeError|URIError|decodeURI|decodeURIComponent|encodeURI|encodeURIComponent|eval|isFinite|isNaN|parseFloat|parseInt|JSON|Ma…”. The infection type is: Suspicious eval with base64 decode.

    I assure you, it is not. ace_editor is a well-known product that many people use. It’s a false alert.

    What product gives you these alerts? I would love to find a way to fix these warnings if I knew how to reproduce them on my end. ??

    I too have had the same alert running Evolve + theme with the exact same error. Reinstalled the latest version of wp-content/themes/evolve-plus/library/admin/redux-extensions/extensions/vendor_support/vendor/ace_editor/mode-php.js from a freshly downloaded theme bundle and got the same error on Wordfence.

    When I mark it as “fixed” and do a rescan the file is marked again as a critically severe error.

    Seems like the problem remains.
    Any chance that Wordfence can be updated to avoid this false positive?

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘False positives with the Redux Framework’ is closed to new replies.