From 2f7943f6acf2e6e553d214a2fa3d1d26c86939b1 Mon Sep 17 00:00:00 2001 From: Denis Ryabov Date: Wed, 15 May 2019 16:48:40 +0300 Subject: [PATCH] Fix false-positive for JAMSS rule#23 JAMSS rule#23 gives false-positive warning for files that starts with `defined('_JEXEC')` (because of partial `exec` match) and use `$_GET` or `$_POST`. This patch requires `exec` (and other function names in) to be checked explicitly using word boundaries (`\b`) in the regex. --- .../components/com_jedchecker/libraries/rules/jamss.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/components/com_jedchecker/libraries/rules/jamss.php b/administrator/components/com_jedchecker/libraries/rules/jamss.php index a1af3f74..bc9ebf33 100644 --- a/administrator/components/com_jedchecker/libraries/rules/jamss.php +++ b/administrator/components/com_jedchecker/libraries/rules/jamss.php @@ -222,7 +222,7 @@ private function init_jamss($deepscan = true) '22', 'Found the SourceCop encoded code. It is often used for malicious code ' . 'hiding, so go and check the code with some online SourceCop decoders'), - array('(?:exec|passthru|shell_exec|system|proc_|popen)[\w\W\s/\*]*\([\s/\*\#\'\"\w\W\-\_]*(?:\$_GET|\$_POST)', + array('\b(?:exec|passthru|shell_exec|system|proc_\w+|popen)\b[\w\W\s/\*]*\([\s/\*\#\'\"\w\W\-\_]*(?:\$_GET|\$_POST)', 'shell command execution from POST/GET variables', '23', 'Found direct shell command execution getting variables from POST/GET, ' .