False Positive as Malware

  • Resolved SmarterWebsites

    (@smarterwebsites)


    7 years ago

    I keep getting this plugin tagged as malware by Anti Malware plugin (GOTMLS)

    I reported it to GOTMLS and this is his response:
    ——————————
    Yes “include *.css” is considered a know threat because hackers commonly exploit plugins and themes that do this by concealing malicious PHP code in css files. This file is clean but it is considered very poor and insecure to use “include” with a css file because any PHP code will be executed. Instead the plugin developer could use file_get_contents to read the css file and then echo the contents that were returned, this will not execute any PHP code in the file. WordPress even has abuilt-in method called wp_enqueue_style, which is what they should be using to safely render their CSS from within their PHP code.

    You can whitelist this register-settings.php if you feel that this CSS file is safe, but I do not agree that it is proper or even appropriate to include any file that is not meant to contain executable PHP code.

    It seems clear to me that the developer did not write this code maliciously but they do need to change the code just to be safe.
    ————————————

    Hope you can check on that.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter SmarterWebsites

    (@smarterwebsites)

    BTW, here is the file that was tagged, register-settings.php – https://pastebin.com/rJRPxQRG

    Tagged line – #1032 – <?php include POPMAKE_DIR . ‘assets/css/site.min.css’; ?>

    Plugin Author Daniel Iser

    (@danieliser)

    @smarterwebsites – Simple enough change and we are all about security so will get this in last minute before I push out the latest major version (1.7 tonight or tomorrow).

    That said, short of them having already compromised your system fully and able to edit files via ftp/sftp, or installing the plugin from a toxic source (non official copy of the plugin) which could include way more instant & melicious code directly in the php files, this couldn’t be exploited in any way.

    In either case they already could simply modify/add php to your files at that point which makes this a useless option for them to exploit.

    The only way I can see this being exploitable would be if we used some type of user input as the path to the file or similar. Since its hardcoded though there is no way this can be used to enter your site without previous compromise that would already be more access than this would provide.

    Either way consider it resolved just for good measure.

    Thread Starter SmarterWebsites

    (@smarterwebsites)

    Hey Daniel,

    Thanks for your response. Thanks for checking this out and making us feel safe to keep using your plugin ??

    Here is the Anti Malware we use – https://www.ads-software.com/plugins/gotmls/

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘False Positive as Malware’ is closed to new replies.