Skip to content

Les commentaires en PHP en début de fichier donnent de faux positifs type PHP_OBFUSC_SHELL #15

Open
Open
Les commentaires en PHP en début de fichier donnent de faux positifs type PHP_OBFUSC_SHELL#15
@tntteam

Description

@tntteam
tntteam
opened on Dec 7, 2016

Les fichiers qui démarrent avec des blocs de commentaires sont reportés comme shells php, exemple de fichier :

<?php
  /**************************************************************************\
  * Phenix Agenda                                                            *
  * http://phenix.gapi.fr                                                    *
  * Written by Stephane TEIL <phenix-agenda@laposte.net>                     *
  * --------------------------------------------                             *
  *  This program is free software; you can redistribute it and/or modify it *
  *  under the terms of the GNU General Public License as published by the   *
  *  Free Software Foundation; either version 2 of the License, or (at your  *
  *  option) any later version.                                              *
  \**************************************************************************/

  require("inc/conf.inc.php");

  // Suppression des informations selectionnees
  if (!empty($ztSuppr)) {
    $DB_CX->DbQuery("DELETE FROM ${PREFIX_TABLE}information WHERE info_id IN (".$ztSuppr.")");
  }

  // Fermeture BDD
  $DB_CX->DbDeconnect();

  // Reprise de la surveillance
  Header("location: info_surveille.php?sid=".$sid);
  exit;
?>

résultat du scan :

 {
        "score": 46,
        "filename": "info_valider.php",
        "cleanup": false,
        "details": [
            {
                "score": -2,
                "details": "",
                "rule": "INCLUDE_REQUIRE",
                "description": "Contient include() ou require() sans http"
            },
            {
                "score": -2,
                "details": "22 lines",
                "rule": "MANY_LINES",
                "description": "Contient beaucoup de lignes"
            },
            {
                "score": 50,
                "details": "",
                "rule": "PHP_OBFUSC_SHELL",
                "description": "Script Shell cach\u00e9"
            }
        ],
        "mtime": 1301060985.0,
        "ctime": 1441461515.0
    },

Voici comment je propose de le corriger :
Changer :

    if len(first_lines) > 12 and line_num < 30  and first_lines[0] == '<?php' and \
            len(first_lines[1]) == len(first_lines[2]) == len(first_lines[3]) == len(first_lines[4]) == len(first_lines[5]) == len(first_lines[6]) == len(first_lines[7]) == len(first_lines[8]) and len(first_lines[3]) > 40 and first_lines[3][0] == ' ':
        score.append(('PHP_OBFUSC_SHELL', ''))

En :

    if len(first_lines) > 12 and line_num < 30  and first_lines[0] == '<?php' and \
            len(first_lines[1]) == len(first_lines[2]) == len(first_lines[3]) == len(first_lines[4]) == len(first_lines[5]) == len(first_lines[6]) == len(first_lines[7]) == len(first_lines[8]) and len(first_lines[3]) > 40 and first_lines[3][0] == ' ':
        if not (re.match(r'^\s*/\*\*', first_lines[1]) and re.match(r'^\s*\*', first_lines[2])):
                score.append(('PHP_OBFUSC_SHELL', ''))

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions