Malicious code detected from Wordfence

  • Resolved losttech

    (@losttech)


    4 years ago

    Hi,

    The Wordfence scan has triggued some critical errors indicating malicious code coming only from your plugin.

    Example:
    File appears to be malicious or unsafe: xxx/miniorange-saml-20-single-sign-on/LogoutRequest.php
    Type: File

    Filename: xxx/miniorange-saml-20-single-sign-on/LogoutRequest.php
    File Type: Not a core, theme, or plugin file from www.remarpro.com.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: include_once “\125\x74\151

    The issue type is: Backdoor:PHP/ObfuscatedInclude.6067
    Description: PHP include() statement with an obfuscated filepath.

    Inspecting these files, I see a lot of strings with values such as “\x4d\151\x73\x73\151\156\147\40\x49\x44\40\x61\164\x74\162\151\142\x75\x74\x65\40\x6f\x6e\x20\x53\x41\115\x4c\x20\155\x65\x73\x73\141\x67\x65\56”

    We are running miniOrange SSO using SAML 2.0, premium single site, Version 11.4.0.
    I read in a previous thread that “the premium plugin, the code that is deployed on your WordPress instance is protected.

    The tool that you are using to scan such plugins is primitive. It’s unable to distinguish between a malicious obfuscated code and our premium code which is for a valid reason.”

    Can you confirm if this is malicious code and a security threat that I should handle or if these are false positive thrown by Wordfence from your plugin’s “premium protected code”?

Viewing 1 replies (of 1 total)
  • Plugin Author miniOrange

    (@cyberlord92)

    Hi,

    We at miniOrange take security threats very seriously and will make sure to help you out with the issue that you have raised.

    If you can provide us the full error report generated by Wordfence, we would be more than happy to look into it and let you know if it’s an actual issue or a false positive.

    You can use the support form provided in the miniOrange SAML SSO plugin settings to reach out to us and send us the report.

    I would also like to notify you that you are using a very older version of the plugin.
    The latest version is 12.0.2, which contains a lot of feature improvements, bug fixes, security and compatibility fixes, etc.
    In order to make sure you are up to date with all the security fixes that we release in the plugin, we would strongly recommend you to update to the latest version.

    Thanks!

Viewing 1 replies (of 1 total)
  • The topic ‘Malicious code detected from Wordfence’ is closed to new replies.