[Claude Dagenais]

Hello Steven,
I had a security breach in a website and the good people at Sucuri identified the cmap files that I had placed in the upload directory (so that I could change them securely) as containing a backdoor. Have you been aware of something like that, could it be a false problem?
I’ve attached the file that I created for your review.
Tx

[Claude Dagenais]

Well I guess I can’t send you the card.php so a second try in txt

Attachments:

You must be logged in to view attached files.

[Steven Zahm]

@ Claude

That attached file seems like the standard template file for the cMap template with only a few minor changes to style and placement of some entry data. I do not see anything that looks like backdoor code. Perhaps the miss ID the file??? I think it best that you confirm with them. If they did find an issue, it sure would be nice of them to Contact me so I can fix any issue. You can direct them to contact me using the contact link at the very bottom of the page.

[Claude Dagenais]

Thank you. With your reply I contacted Sucuri and sent them you contact information. Since they deleted the file on the server I cannot be sure of what they found. Maybe it was injected with something. I’ll keep you updated.

[Steven Zahm]

@ Claude

re: Maybe it was injected with something.

That would make sense. If you were infected, I’ve seen sites have many files injected with code. I had to clean my church’s site once after it was infected, not fun because it kept coming back because I guess I missed a file. I ended up just replacing every file on the site with original copies and it’s been fine since. I personally think the attack vector (no proof, just hunch) was Ninja Forms. I only think that because I seem to remember them having a security related update and I do not think I updated the church’s site.

Any way…

re: I’ll keep you updated.

Yes, please do. Thanks!

[Claude Dagenais]

Here is the answer from Sucuri:

I inspected the card.php file specifically and there does not appear
to be any malware inside so I have restored it, the file was removed
as its a php file inside the uploads directory which should only
contain images, documents and other related files, not php files. I
apologize if this caused any problems.

So I would say this was a false positive but it raise the question of putting php in the upload directory. iTheme Security does not allow it either.
Claude

[Steven Zahm]

@ Claude

re: but it raise the question of putting php in the upload directory.

I suppose that does raise a good point. I can not remove this path because it’ll break templates for everyone who is using a custom template override file.

What I can do is add an additional path to look for a connections-templates/{template-slug}/ folder as a higher priority. I’ll be releasing version 8.5.15 shortly which contains this added path. So you should be able to simply move the folder down one level out of the uploads folder and it should just work. I did not actually test it since this is a relatively simple change. If you move it and it does not work, let me know, then I’ll test it.

Hope that helps!

ps. The uploads was only one of the folders you could use, you can also put it in the active theme’s folder. I’ve already made the doc change to state to put the folder within the wp-content instead of the uploads folder.

[Author]

Posts