Page 1 of 1
Plugin verify files - development
Posted: Sun May 29, 2011 9:15 pm
by Timbalu
Since someone in the german forum asked to have some sort of automatic file integrity check, somehow necessary to have in case of compromised files panic
, we discussed having at least some automatic list of all files outside of a Serendipty Release.
As I thought this might help some more people, I developed a plugin including the cores integrity check, which is done by the checksum file, and additionally a diff to the current installation files, showing missing core files and additional files versus the checksum file array. After plugin installation, you will find a new link in the admin sidebar to go for it.
If anybody has more ideas this would be a good point to discuss and develop the plugin here, before we put it up to CVS.
Re: Plugin verify files - development
Posted: Thu Jun 09, 2011 2:30 pm
by Timbalu
I just added a basic check for hacked php files using "eval(base64_decode", please test.
Are there any other strings we could check for?
Re: Plugin verify files - development
Posted: Thu Jun 09, 2011 3:51 pm
by garvinhicking
Hi!
"fpassthru" could also be a good detector; generally "exec(" and "eval(" could be added, we would only need to exclude a few bundled PEAR libs from creating false errors?
Good idea!
Regards,
Garvin
Re: Plugin verify files - development
Posted: Thu Jun 09, 2011 5:02 pm
by Timbalu
hmmm, not really ... I found at least 22 clean files here, without knowing how many there are, if someone has some more plugins active...
Search "eval(" (19 hits in 13 php files) in /bundled-libs/ (11), /plugins/ (1), /tests/ (1) - takes also things like "serializeval("
Search "exec(" (12 hits in 8 php files) in /htmlarea/ (4), /include/ (1), /plugins/ (3)
Search "fpassthru" (1 hit in 1 php file) in / (1)
Downsizing, would be some ~17 files to exclude, leaving /htmlarea/ files to alert.
This might get complicated trying to fetch all these excludements. Any ideas?
Re: Plugin verify files - development
Posted: Thu Jun 09, 2011 8:59 pm
by Timbalu
It wasn't to bad excluding a file array and including search needles to get this to work and I uploaded v. 1.02. I still need some testers, to give me more information about possible more files to exclude. Just run 'Verify additional files' to see some output, if any.
Re: Plugin verify files - development
Posted: Fri Jun 10, 2011 2:15 pm
by onli
Hi
Got this in my testinstallation:
Code: Select all
Possible infected php files in Installation
filename: plugins/serendipity_event_spamblock_bayes/serendipity_event_spamblock_bayes.php :
filetype: file, was last modified: April 20 2011 19:32:23.
filename: plugins/serendipity_event_xmlrpc/PEAR/XML/RPC.php :
filetype: file, was last modified: February 24 2011 19:46:48.
filename: plugins/serendipity_event_autotitle/serendipity_event_autotitle.php :
filetype: file, was last modified: January 21 2011 12:45:02.
filename: templates_c/plus9^%%62^622^62255D3C%%entries.tpl.php :
filetype: file, was last modified: March 25 2011 15:27:39.
filename: templates_c/bulletproof^%%CD^CD5^CD50A5BF%%entries.tpl.php :
filetype: file, was last modified: January 21 2011 12:52:53.
filename: templates_c/serendipity-1.5.5/serendipity/include/functions_images.inc.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/ImageManager/Classes/IM.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/aspell_setup.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/spell-check-logic.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/htmlarea/plugins/SpellChecker/spell-check-savedicts.php :
filetype: file, was last modified: January 21 2011 12:52:41.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/Smarty.class.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.math.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.mailto.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/plugins/function.eval.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.process_cached_inserts.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.smarty_include_php.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/Smarty/libs/internals/core.run_insert_handler.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/PEAR.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/bundled-libs/XML/RPC.php :
filetype: file, was last modified: January 21 2011 12:52:42.
filename: templates_c/serendipity-1.5.5/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php :
filetype: file, was last modified: January 21 2011 12:52:40.
filename: templates_c/serendipity-1.5.5/serendipity/serendipity_admin_image_selector.php :
filetype: file, was last modified: January 21 2011 12:52:42.
Please check these files with an editor for strings like: "eval( or exec( or eval(base64_decode or fpassthru" and inform the 'Serendipty Forum' board!
Search "eval(" (19 hits in 13 php files) in /bundled-libs/ (11), /plugins/ (1), /tests/ (1) - takes also things like "serializeval("
You could surely prevent serializeeval to be found when searching for " eval" or "\seval" or something like that.
Re: Plugin verify files - development
Posted: Fri Jun 10, 2011 2:27 pm
by garvinhicking
Hi!
Your test installation at least has a strangely stacked templates_c/serendipity-1.5.5/ which contains the original s9y release again? I believe that's a reason why you get so many hits...
Regards,
Garvin
Re: Plugin verify files - development
Posted: Fri Jun 10, 2011 2:34 pm
by Timbalu
Hi Malte
Thank you, 3 more plugin files to exclude.
Are you sure these 2 are based to the 1.5.5 template releases?
- filename: templates_c/plus9^%%62^622^62255D3C%%entries.tpl.php :
filetype: file, was last modified: March 25 2011 15:27:39.
filename: templates_c/bulletproof^%%CD^CD5^CD50A5BF%%entries.tpl.php :
filetype: file, was last modified: January 21 2011 12:52:53.
If yes, we can't really filter them out the array of
possible infected files, also all the autoupdater files in templates_c, without getting very complicated.
You could surely prevent serializeeval to be found when searching for " eval" or "\seval" or something like that.
No not really, apart from having some more *eval* names, since I am searching in a minimized file_get_contents() with strpos ... this only affects ~2 files by now
The excluded file array is now by 25, which, growing up, opens a hole to more intelligent hackers to compromise just one or two of these and get away with it.
We could chmod them automatically to read only, by using this plugin, but if this is a good way to go ... I don't know.
Edit:
Well, actually the current file array is by 25, since I have the new Smarty here, which isn't present in the checksum file - 10 files in it belong to the next Smarty, so future Verify Versions will have 10 files less, ergo 15 by now.
Before I update, I'd be pleased if some more could test it and report back!
Edit 2:
Sorry! I should have tested with a vanilla install...
If you dont have changed any core files, the array shrinks to pleasant 6 files
(*), all in /plugins/. Thats something to live with.
Garvin, did some older or testing Serendipity Release ship with the /tests/ folder? I got one here and just realized 1.5.5 hasen't got it. If this is a remnant, could we erase it with the 1.6 release? (tests/coverage/phpunit_coverage.php)
*since this is including a diff to the checksum files
Re: Plugin verify files - development
Posted: Fri Jun 10, 2011 3:22 pm
by onli
Are you sure these 2 are based to the 1.5.5 template releases?
No, i'm not. I checked all the plugins and it is quite possible i added a newline or something.
Garvin, the stacked files are quite possible the result of the autoupdater-plugin.
Re: Plugin verify files - development
Posted: Fri Jun 10, 2011 3:36 pm
by Timbalu
onli wrote:Are you sure these 2 are based to the 1.5.5 template releases?
No, i'm not. I checked all the plugins and it is quite possible i added a newline or something.
No sorry, thats not what I meant, ..., 'plus9' wont be in a release and some compiled templates use eval like
Code: Select all
<?php echo smarty_function_eval(array('var' => $this->_tpl_vars['footer_totalPages']-6,'assign' => 'paginationStartPage'), $this);?>
I found one build by bulletproof entries.tpl, which occurced to be old. "Old" meaning some Smarty Version 2.6.x. My test Blog runs Smarty 3.08, which does not do this any more, ... instead using:
Code: Select all
<?php $_template = new Smarty_Internal_Template('eval:'.$_smarty_tpl->getVariable('footer_totalPages')->value-6, $_smarty_tpl->smarty, $_smarty_tpl);$_smarty_tpl->assign("paginationStartPage",$_template->getRenderedTemplate()); ?>
Re: Plugin verify files - development
Posted: Sat Jun 11, 2011 12:47 pm
by Timbalu
Timbalu wrote:Sorry! I should have tested with a vanilla install...
If you dont have changed any core files, the array shrinks to pleasant 6 files
(*), all in /plugins/. Thats something to live with.
Garvin, did some older or testing Serendipity Release ship with the /tests/ folder? I got one here and just realized 1.5.5 hasen't got it. If this is a remnant, could we erase it with the 1.6 release? (tests/coverage/phpunit_coverage.php)
*since this is including a diff to the checksum files
I updated the zip, to confirm the new array. Please test and report.
Garvin, could you tell me something about /tests please.
Re: Plugin verify files - development
Posted: Sun Jun 12, 2011 2:47 pm
by Timbalu
Yes, /tests dir comes with development versions and without a checksums file array.
So I moved some things around, decided to include the /tests file again and added another error message.
Please test v.1.04, to make this a widely and useful integrity helper plugin.
Re: Plugin verify files - development
Posted: Fri Oct 28, 2011 5:28 pm
by Timbalu
I saw I forgot to drop 1.05 here in summer, therefore we jump to 1.06, as of the official release of S9y 1.6.
If you upgrade, you may need to clean your templates_c or your browsers cache by F5 to get things up...
Changelog:
1.06:
-----
changed function verifyAllFiles() to match empty array returning as a string and added (array) to 2cd argument of array_merge()
added (string) to property since we use array_flip later, which needs values to be Integer or Strings
1.05:
-----
added 'use PHP 5.1 up error' if file search array is empty
added some more files to list of exceptions
changed strpos to stripos to search case insensitive
added inset bad words in search for .htm files too
added inset bad words 'iframe'
added de lang files
Re: Plugin verify files - development
Posted: Wed Nov 09, 2011 7:02 pm
by Timbalu
I just released version 1.07, which has
Code: Select all
added another file to exclude,
fixed the output of show_verified_files array function and
fixed the Directory Seperator of excludement array.
Please download in updated first post.
If you have any interesting ideas for this plugin, just drop me a PM, please.
serendipity_event_verify_v.1.0.8+.zip