Skip to content

Les commentaires en PHP en début de fichier donnent de faux positifs type PHP_OBFUSC_SHELL #15

Open
Open
Les commentaires en PHP en début de fichier donnent de faux positifs type PHP_OBFUSC_SHELL#15
@tntteam

Description

@tntteam
tntteam
opened on Dec 7, 2016

Les fichiers qui démarrent avec des blocs de commentaires sont reportés comme shells php, exemple de fichier :

<?php
  /**************************************************************************\
  * Phenix Agenda                                                            *
  * http://phenix.gapi.fr                                                    *
  * Written by Stephane TEIL <phenix-agenda@laposte.net>                     *
  * --------------------------------------------                             *
  *  This program is free software; you can redistribute it and/or modify it *
  *  under the terms of the GNU General Public License as published by the   *
  *  Free Software Foundation; either version 2 of the License, or (at your  *
  *  option) any later version.                                              *
  \**************************************************************************/

  require("inc/conf.inc.php");

  // Suppression des informations selectionnees
  if (!empty($ztSuppr)) {
    $DB_CX->DbQuery("DELETE FROM ${PREFIX_TABLE}information WHERE info_id IN (".$ztSuppr.")");
  }

  // Fermeture BDD
  $DB_CX->DbDeconnect();

  // Reprise de la surveillance
  Header("location: info_surveille.php?sid=".$sid);
  exit;
?>

résultat du scan :

 {
        "score": 46,
        "filename": "info_valider.php",
        "cleanup": false,
        "details": [
            {
                "score": -2,
                "details": "",
                "rule": "INCLUDE_REQUIRE",
                "description": "Contient include() ou require() sans http"
            },
            {
                "score": -2,
                "details": "22 lines",
                "rule": "MANY_LINES",
                "description": "Contient beaucoup de lignes"
            },
            {
                "score": 50,
                "details": "",
                "rule": "PHP_OBFUSC_SHELL",
                "description": "Script Shell cach\u00e9"
            }
        ],
        "mtime": 1301060985.0,
        "ctime": 1441461515.0
    },

Voici comment je propose de le corriger :
Changer :

    if len(first_lines) > 12 and line_num < 30  and first_lines[0] == '<?php' and \
            len(first_lines[1]) == len(first_lines[2]) == len(first_lines[3]) == len(first_lines[4]) == len(first_lines[5]) == len(first_lines[6]) == len(first_lines[7]) == len(first_lines[8]) and len(first_lines[3]) > 40 and first_lines[3][0] == ' ':
        score.append(('PHP_OBFUSC_SHELL', ''))

En :

    if len(first_lines) > 12 and line_num < 30  and first_lines[0] == '<?php' and \
            len(first_lines[1]) == len(first_lines[2]) == len(first_lines[3]) == len(first_lines[4]) == len(first_lines[5]) == len(first_lines[6]) == len(first_lines[7]) == len(first_lines[8]) and len(first_lines[3]) > 40 and first_lines[3][0] == ' ':
        if not (re.match(r'^\s*/\*\*', first_lines[1]) and re.match(r'^\s*\*', first_lines[2])):
                score.append(('PHP_OBFUSC_SHELL', ''))

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions