D
D
Denis2015-10-29 09:26:32
PHP
Denis, 2015-10-29 09:26:32

Virusdie vs preg_replace. Is there a virus?

Good day everyone!
I received a letter from the hoster saying that after scanning by Virusdie, you have detected the malicious code PregReplace.E.
It was found in three ways: /tmp/install_54ee9eb21856e/lib_rokcommon/Doctrine/Adapter/Statement/Oracle.php, /components/com_uddeim/includes.php
and
/libraries/rokcommon/Doctrine/Adapter/Statement/Oracle.php rokcommon:
/**
* Parse actual query from queryString and returns OCI statement handler
* @param string Query string to parse, if NULL, $this->queryString is used
*
* return resource OCI statement handler
*/
private function parseQuery($query =null)
{
if (is_null($query)) {
$query = $this->queryString;
}
$bind_index = 1;
// Replace ? bind-placeholders with :oci_b_var_ variables
$query = preg_replace("/(\?)/e", '":oci_b_var_". $bind_index++' , $query);
$this->statement = @oci_parse($this->connection, $query);
if ( $this->statement == false )
{
throw new Doctrine_Adapter_Exception($this->getOciError());
}
return $this->statement;
}
code from com_uddeim:
// $val = preg_replace('/<(.*?)>/ie', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $aDisabledAttributes) . ")=[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", $val);
it is commented out, so it does not cause concern and, in principle, it can be deleted.
What about rockcommon? In principle, I cleaned tmp, it remains only in the libraries ..
Please tell me.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Arman, 2015-10-29
@Arik

This construction (preg_replace with the "e" modifier) ​​is already outdated, most likely confusing, which is almost the same as eval (), try rewriting it with preg_replace_callback

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question