Plugin verify files - development

[Timbalu]

Since someone in the german forum asked to have some sort of automatic file integrity check, somehow necessary to have in case of compromised files panic , we discussed having at least some automatic list of all files outside of a Serendipty Release.

As I thought this might help some more people, I developed a plugin including the cores integrity check, which is done by the checksum file, and additionally a diff to the current installation files, showing missing core files and additional files versus the checksum file array. After plugin installation, you will find a new link in the admin sidebar to go for it.

If anybody has more ideas this would be a good point to discuss and develop the plugin here, before we put it up to CVS.

serendipity_event_verify_v.1.0.8+.zip

deflate to serendipity/plugins, updated ~2012/12/01

(9.37 KiB) Downloaded 348 times

[Timbalu]

I just added a basic check for hacked php files using "eval(base64_decode", please test.
Are there any other strings we could check for?

[garvinhicking]

Hi!

"fpassthru" could also be a good detector; generally "exec(" and "eval(" could be added, we would only need to exclude a few bundled PEAR libs from creating false errors?

Good idea!

Regards,
Garvin

[Timbalu]

hmmm, not really ... I found at least 22 clean files here, without knowing how many there are, if someone has some more plugins active...

Search "eval(" (19 hits in 13 php files) in /bundled-libs/ (11), /plugins/ (1), /tests/ (1) - takes also things like "serializeval("
Search "exec(" (12 hits in 8 php files) in /htmlarea/ (4), /include/ (1), /plugins/ (3)
Search "fpassthru" (1 hit in 1 php file) in / (1)

Downsizing, would be some ~17 files to exclude, leaving /htmlarea/ files to alert.
This might get complicated trying to fetch all these excludements. Any ideas?

[Timbalu]

It wasn't to bad excluding a file array and including search needles to get this to work and I uploaded v. 1.02. I still need some testers, to give me more information about possible more files to exclude. Just run 'Verify additional files' to see some output, if any.

[onli]

Hi
Got this in my testinstallation:

Code: Select all

Possible infected php files in Installation

filename: plugins/serendipity_event_spamblock_bayes/serendipity_event_spamblock_bayes.php : 
filetype: file, was last modified: April 20 2011 19:32:23.
filename: plugins/serendipity_event_xmlrpc/PEAR/XML/RPC.php : 
filetype: file, was last modified: February 24 2011 19:46:48.
filename: plugins/serendipity_event_autotitle/serendipity_event_autotitle.php : 
filetype: file, was last modified: January 21 2011 12:45:02.
filename: templates_c/plus9^%%62^622^62255D3C%%entries.tpl.php : 
filetype: file, was last modified: March 25 2011 15:27:39.
filename: templates_c/bulletproof^%%CD^CD5^CD50A5BF%%entries.tpl.php : 
filetype: file, was last modified: January 21 2011 12:52:53.
filename: templates_c/serendipity-1.5.5/serendipity/include/functions_images.inc.php : 
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/ImageManager/Classes/IM.php : 
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/aspell_setup.php : 
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/spell-check-logic.php : 
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/spell-check-savedicts.php : 
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/Smarty.class.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.math.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.mailto.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.eval.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.process_cached_inserts.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.smarty_include_php.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.run_insert_handler.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/PEAR.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/XML/RPC.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php : 
filetype: file, was last modified: January 21 2011 12:52:40.
filename: templates_c/serendipity-1.5.5/serendipity/serendipity_admin_image_selector.php : 
filetype: file, was last modified: January 21 2011 12:52:42.
Please check these files with an editor for strings like: "eval( or exec( or eval(base64_decode or fpassthru" and inform the 'Serendipty Forum' board!

Search "eval(" (19 hits in 13 php files) in /bundled-libs/ (11), /plugins/ (1), /tests/ (1) - takes also things like "serializeval("

You could surely prevent serializeeval to be found when searching for " eval" or "\seval" or something like that.

[garvinhicking]

Hi!

Your test installation at least has a strangely stacked templates_c/serendipity-1.5.5/ which contains the original s9y release again? I believe that's a reason why you get so many hits...

Regards,
Garvin

[Timbalu]

Hi Malte

Thank you, 3 more plugin files to exclude.

Are you sure these 2 are based to the 1.5.5 template releases?

• filename: templates_c/plus9^%%62^622^62255D3C%%entries.tpl.php :
  filetype: file, was last modified: March 25 2011 15:27:39.
  filename: templates_c/bulletproof^%%CD^CD5^CD50A5BF%%entries.tpl.php :
  filetype: file, was last modified: January 21 2011 12:52:53.

If yes, we can't really filter them out the array of possible infected files, also all the autoupdater files in templates_c, without getting very complicated.

You could surely prevent serializeeval to be found when searching for " eval" or "\seval" or something like that.

No not really, apart from having some more *eval* names, since I am searching in a minimized file_get_contents() with strpos ... this only affects ~2 files by now

The excluded file array is now by 25, which, growing up, opens a hole to more intelligent hackers to compromise just one or two of these and get away with it.
We could chmod them automatically to read only, by using this plugin, but if this is a good way to go ... I don't know.

Edit:
Well, actually the current file array is by 25, since I have the new Smarty here, which isn't present in the checksum file - 10 files in it belong to the next Smarty, so future Verify Versions will have 10 files less, ergo 15 by now.
Before I update, I'd be pleased if some more could test it and report back!

Edit 2:
Sorry! I should have tested with a vanilla install...
If you dont have changed any core files, the array shrinks to pleasant 6 files(*), all in /plugins/. Thats something to live with.
Garvin, did some older or testing Serendipity Release ship with the /tests/ folder? I got one here and just realized 1.5.5 hasen't got it. If this is a remnant, could we erase it with the 1.6 release? (tests/coverage/phpunit_coverage.php)
*since this is including a diff to the checksum files

[onli]

Are you sure these 2 are based to the 1.5.5 template releases?

No, i'm not. I checked all the plugins and it is quite possible i added a newline or something.

Garvin, the stacked files are quite possible the result of the autoupdater-plugin.

[Timbalu]

Are you sure these 2 are based to the 1.5.5 template releases?

No, i'm not. I checked all the plugins and it is quite possible i added a newline or something.

No sorry, thats not what I meant, ..., 'plus9' wont be in a release and some compiled templates use eval like

Code: Select all

<?php echo smarty_function_eval(array('var' => $this->_tpl_vars['footer_totalPages']-6,'assign' => 'paginationStartPage'), $this);?> 

I found one build by bulletproof entries.tpl, which occurced to be old. "Old" meaning some Smarty Version 2.6.x. My test Blog runs Smarty 3.08, which does not do this any more, ... instead using:

Code: Select all

<?php $_template = new Smarty_Internal_Template('eval:'.$_smarty_tpl->getVariable('footer_totalPages')->value-6, $_smarty_tpl->smarty, $_smarty_tpl);$_smarty_tpl->assign("paginationStartPage",$_template->getRenderedTemplate()); ?>

[Timbalu]

Sorry! I should have tested with a vanilla install...
If you dont have changed any core files, the array shrinks to pleasant 6 files(*), all in /plugins/. Thats something to live with.
Garvin, did some older or testing Serendipity Release ship with the /tests/ folder? I got one here and just realized 1.5.5 hasen't got it. If this is a remnant, could we erase it with the 1.6 release? (tests/coverage/phpunit_coverage.php)
*since this is including a diff to the checksum files

I updated the zip, to confirm the new array. Please test and report.
Garvin, could you tell me something about /tests please.

[Timbalu]

Yes, /tests dir comes with development versions and without a checksums file array.
So I moved some things around, decided to include the /tests file again and added another error message.
Please test v.1.04, to make this a widely and useful integrity helper plugin.

[Timbalu]

I saw I forgot to drop 1.05 here in summer, therefore we jump to 1.06, as of the official release of S9y 1.6. If you upgrade, you may need to clean your templates_c or your browsers cache by F5 to get things up...

Changelog:

1.06:
-----

changed function verifyAllFiles() to match empty array returning as a string and added (array) to 2cd argument of array_merge()
added (string) to property since we use array_flip later, which needs values to be Integer or Strings


1.05:
-----

added 'use PHP 5.1 up error' if file search array is empty
added some more files to list of exceptions
changed strpos to stripos to search case insensitive
added inset bad words in search for .htm files too
added inset bad words 'iframe'
added de lang files

[Timbalu]

I just released version 1.07, which has

Code: Select all

added another file to exclude,
fixed the output of show_verified_files array function and
fixed the Directory Seperator of excludement array.

Please download in updated first post.

If you have any interesting ideas for this plugin, just drop me a PM, please.