Criticial security issue

  • Resolved sjrcarter

    (@sjrcarter)


    6 years ago

    We received notice that the plugin contains malicious code. Can you please confirm?

    wp-content/plugins/miniorange-saml-20-signle-sign-on/Utilities.php
    Matched text: include “/x78/x6d/x6c”

    Issue type: Backdoor:php/ObfuscatedInclude
    Description: PHP include() statement with an obfuscated filepath

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author miniOrange

    (@cyberlord92)

    Hi,

    Thanks for reaching out.

    There is nothing to worry about. Since you are using a premium plugin, the code that is deployed on your WordPress instance is protected.

    The tool that you are using to scan such plugins is primitive. It’s unable to distinguish between a malicious obfuscated code and our premium code which is for a valid reason.

    Please feel free to ask any questions if you have.

    Hi,
    I also encounter similar problems. All files in the module contain “special strings”.
    Here are the first lines of the mo_saml_settings_page.php.

    Are you sure all this is normal? When one compares the files in production with the files in one of the archives of the module, one does not find absolutely all these chains.

    <?php

include "\x6d\x6f\x2d\163\141\x6d\154\x2d\154\x69\143\145\x6e\163\145\x2d\160\141\x67\145\56\x70\x68\160";
include "\155\157\x2d\x73\141\155\154\x2d\163\x75\x70\x70\x6f\x72\164\x2d\160\141\x67\x65\x2e\160\150\x70";
include "\155\157\x2d\163\x61\155\x6c\55\x66\x61\x71\163\55\x70\x61\147\x65\x2e\x70\150\160";
include "\x6d\157\x2d\x73\x61\155\x6c\55\163\x65\x74\x75\160\x2d\151\x64\160\55\x70\x61\147\x65\56\x70\150\x70";
function mo_register_saml_sso()
{
    $zI = remove_query_arg("\x61\x63\164\151\157\x6e");
    $_SERVER["\122\x45\x51\x55\x45\123\124\137\x55\122\111"] = $zI;
    if (isset($_GET["\x74\141\142"])) {
        goto Zx;
    }
    if (mo_saml_is_customer_registered_saml() && mo_saml_is_customer_license_key_verified() && mo_saml_is_sp_configured()) {
        goto mZ;
    }
    if (mo_saml_is_customer_registered_saml() && mo_saml_is_customer_license_key_verified()) {
        goto ce;
    }
    $wL = "\x6c\x6f\x67\x69\156";
    goto zm;
    ce:
    $wL = "\143\x6f\x6e\x66\x69\147";
    zm:
    goto C3;
    mZ:
    $wL = "\147\x65\156\145\162\x61\154";
    C3:
    goto wY;
    Zx:
    $wL = $_GET["\x74\141\x62"];
    wY:
    if (mo_saml_is_curl_installed()) {
        goto pB;
    }
    echo "\15\xa\11\x9\x9\74\x70\x3e\74\146\x6f\x6e\164\40\x63\x6f\x6c\157\162\x3d\42\43\106\x46\60\60\60\x30\x22\76\x28\127\x61\x72\156\151\x6e\147\x3a\x20\74\x61\40\x68\162\x65\146\x3d\x22\150\x74\164\160\72\57\57\160\x68\x70\x2e\156\145\x74\x2f\155\141\156\165\x61\154\57\x65\156\57\143\165\x72\154\56\151\156\163\164\141\154\x6c\141\164\151\x6f\x6e\x2e\160\150\x70\x22\x20\x74\141\162\x67\145\164\x3d\x22\x5f\142\154\x61\x6e\153\42\76\x50\x48\120\x20\x63\x55\x52\114\x20\145\170\x74\x65\156\163\151\157\156\x3c\x2f\x61\x3e\x20\151\x73\40\156\157\x74\40\151\156\x73\164\141\x6c\154\145\x64\x20\157\162\40\x64\x69\163\141\142\154\x65\144\51\74\x2f\146\157\x6e\x74\x3e\74\57\160\76";
    pB:
    if (mo_saml_is_openssl_installed()) {
        goto BV;
    }
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Criticial security issue’ is closed to new replies.