Exploit Scanner v1.11

3 posts by 2 authors in: Forums > CMS Builder
Last Post: June 15, 2015   (RSS)

By northernpenguin - June 14, 2015

Hi

Exploit Scanner has picked up the following potential exploit on one of my systems:

/home/xxxxxx/public_html/list/admin/connect.php (Score: 12) 
 - PHP Code Match (Score 1): Base64 string of 100+ chars (matched string: $oldpoweredimage = 'iVBORw0KGgoAAAANSUhEUgAAAFgAAAAfCAMAAABUFvrSAAAABGdBTUEAALGPC/xhBQAAAMBQTFRFmQAA...) 
 - PHP Code Match (Score 10): Base64 string of 1000+ chars (matched string: $oldpoweredimage = 'iVBORw0KGgoAAAANSUhEUgAAAFgAAAAfCAMAAABUFvrSAAAABGdBTUEAALGPC/xhBQAAAMBQTFRFmQAA...) 
 - PHP Code Match (Score 1): PHP disabling error_reporting (matched string: error_reporting(0))

Scanned: 582 dirs, 10,593 files (3 risks found)Execute time: 0 minutes, 42 seconds 

I understand the 1st two messages, but I don't understand the 3rd one.  Is some code actually disabling error reporting?  It would be nice if exploit scanner would list the line number of the potential exploit!

Ragi

--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke

By Dave - June 15, 2015

Hi Ragi, 

Yea, that's what's it's doing.  error_reporting(0) disables all error reporting.  See:
http://php.net/manual/en/function.error-reporting.php

They might have a non-malicious reason for doing that.  You can find the line by searching for "error_reporting(0)" in the file.

That only gets a score of 1, though, and you need a score of 10+ to show up.  I'd guess the "Base64 string of 1000+ chars" is a false-positive and that $oldpoweredimage is just encoded image data.  

But still worth a look just to be sure!

Let me know any questions.

Dave Edis - Senior Developer
interactivetools.com