WordFence marks php of NextGEN as critical
-
(Newest NG version, newest WP version, twenty-eleven theme)
Hi there,
every now and then I check my website with the wide-known WordFence security plugin.
Today was the first time it put out a serious warning because of an NextGEN-file.
The file that is marked as critical is:
wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_data/package.module.nextgen_data.php
The message of WordFence is:
“This file is a PHP executable file and contains the word “eval” (without quotes) and the word “base64_decode(” (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.”
I know too less about how the plugin works to valuate that.
What do you think:
1. Is it a NextGEN plugin problem?
2. Is it a wanted feature of the plugin and nothing to worry about?
3. Has my page been hacked?Greetings,
SFrueh
The page I need help with: [log in to see the link]
-
Hi @sfrueh
This particular thread might need some interaction from our developers.
We want to take a closer look. We may need to deactivate plugins and switch the theme while troubleshooting temporarily. Would you feel OK with that? If so, please send us a bug report here: https://www.imagely.com/report-bug, refer back to this forum thread and let them know Gaby referred you.Hi @sfrueh
Thank you so much.
We’ll keep you posted.Hi @sfrueh
Just like Erick mentioned on that other thread, it seems that it’s a false positive. WordFence is looking for a specific string of text without verifying that the text is an exploitable code.
– In the first case, they’re looking for the method “eval()” (which is genuinely dangerous if misused), but they’re reporting on our use of “doubleval()” which is safe but the name alone is quite close to what they’re looking for.
– The second report is a mixed bag. We do use “base64_decode()” — but so does WP itself. Besides a prior vulnerability in PHP itself base64_decode() isn’t inherently insecure. Some security scanners include it in their search because it can be used to obfuscate attacks or backdoors left behind after an attack but it’s not a risk in itself.
Thank you so much for bringing this up.
Hi @sfrueh,
Just like Erick mentioned on that other thread, it seems that it’s a false positive. WordFence is looking for a specific string of text without verifying that the text is an exploitable code.
Thank you so much for bringing this up.
- The topic ‘WordFence marks php of NextGEN as critical’ is closed to new replies.
