Malicious File Upload (PHP)

  • Resolved wooassist

    (@wooassist)


    3 months ago

    We have a Gravity Form on one of our products which accepts image upload. A customer seems to be getting blocked because of the image they are uploading. We checked the details on Live Traffic and it states “blocked by firewall for Malicious File Upload (PHP)”. We did some research about it and it seems it’s prone to false positives.

    So can you please just confirm for us if it is indeed a false positive or not. Let me know how we can securely send a copy of the image.

    • This topic was modified 3 months ago by wooassist.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @wooassist, sorry to hear one of your customers was affected by this.

    The good news is that there are multiple layers to how uploaded files are checked by Wordfence so if you’re unable to allowlist the action the traditional way through Live Traffic or Learning Mode, there are other options whilst still remaining protected.

    There are usually 3 possible rules involved. “Malicious File Upload“, “Malicious File Upload (PHP)“ (as you’ve seen here) but also “Malicious File Upload (Patterns)”. These rules can be found in?Wordfence > All Options > Firewall Options > Advanced Firewall Options > Rules after expanding the list. Make sure turning off one doesn’t cause customers to get caught by another, then just keep the problematic rule turned off.

    Many thanks,
    Peter.

    Thread Starter wooassist

    (@wooassist)

    We just want to confirm if its a false positive or if the user really did upload a malicious file. Can we send you the file for you to check, or at least let us know how we can confirm it ourselves.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @wooassist,

    It’s highly likely that the file was a false-positive if the file was something you’re expecting inside the image but if the file does seem suspicious to you, you can always double-check with samples @ wordfence . com, who’d be able to give you a course of action if anything malicious was found.

    I will add though that uploaded images are extremely common to hit false-positives, as when viewed as text can contain strings that look like PHP code (for one example amongst many) that could match part of something malicious in our database.

    Many thanks,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.