False Positive File with Malicious File Upload (PHP) Rule

  • Resolved infodweaver

    (@infodweaver)


    3 years, 2 months ago

    Hello,

    We have encountered issues with multiple sites falsely flagging files uploaded either through Gravity Forms file upload field and sometimes through WordPress’ file uploader (both ajax and non-ajax).

    We have already done the preliminary diagnostic steps from other support articles saying to enable Learning Mode and upload the files while it is turned on. This has no affect and in fact does not add any visible whitelisted rules to the firewall.

    The only way we have been able to resolve this is to disable the firewall rule: “Malicious File Upload (PHP)” Although this is not desirable, this is the only way we can get file uploads to work again.

    This is happening not just with a single file but with multiple files. We believe this rule is written too broad and causing a lot of false positives.

    Also, there is no way we can whitelist the traffic through the live traffic viewer since these blocks are not showing up in the traffic logs – even after turning on the “All Traffic” option.

    Please let us know if there is a way we can help resolve this permanently without disabling this rule.
    Thanks,

    Daniel Weaver

    • This topic was modified 3 years, 2 months ago by infodweaver.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @infodweaver, thanks for detailing the exact issue.

    We have recently had to recommend turning this specific setting off for some customers running PHP8 as the flexibility of what it considers valid PHP code makes for an increase in false-positives. Is that the case for you or are you still on PHP7? We do plan to address the issue for PHP8 in a future plugin release.

    There are actually two rules for Malicious File Upload, the second titled “Malicious File Upload (Patterns)”. This rule checks the actual contents of the uploaded file(s) for malicious code, so if you are able to continue running Wordfence successfully with this turned on, you are still very well protected.

    I hope that helps you out, and am happy to help further if you feel it needs more investigation.

    Thanks,

    Peter.

    Thread Starter infodweaver

    (@infodweaver)

    @wfpeter

    That lines up with what we have encountered so far. All the sites having issues have been upgraded to PHP 8. So I guess we will disable that rule for now and wait for the update.

    There is one more concern I had mentioned in my description above. The Live Traffic view is not showing these uploads being blocked (even if the All Traffic switch is turned on). It would be super helpful in diagnosing upload errors if the firewall log showed some sort of entry for when it blocks file uploads.

    Is this how the Live Traffic feature is meant to work?

    Plugin Support wfpeter

    (@wfpeter)

    Hi @infodweaver,

    I’ve been speaking to the wider threat intelligence team and there does seem to be a correlation between the false positives and blocked hits for that rule not showing in live traffic. Often this is related to lower-level or unauthenticated users being able to upload files, which may be the case here?

    The rule ultimately should pick up less false positives on PHP7, but as part of the PHP8 updates I spoke of before, we are also working on ensuring any issues with Live Traffic are also addressed at the same time. I’m unable to comment on delivery dates for certain plugin updates here on the forums as timescales can change but I appreciate your reporting of this and it will be addressed.

    Thanks,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘False Positive File with Malicious File Upload (PHP) Rule’ is closed to new replies.