Security threat in v150626

@tamenori

This is what is on those two lines:

'(?P<script_open_tag>\<script(?:\s+[^>]*?)?\>)(?P<script_js>.*?)(?P<script_closing_tag>\<\/script\>)'.

And that line is part of a bigger collection of RegEx’s, used to search for JavaScript fragments during JS Compression (a feature of the ZenCache HTML Compressor):

$regex = '/(?P<all>'.// Entire match.
                 '(?P<if_open_tag>\<\![^[>]*?\[if\W[^\]]*?\][^>]*?\>\s*)?'.
                 '(?P<script_open_tag>\<script(?:\s+[^>]*?)?\>)(?P<script_js>.*?)(?P<script_closing_tag>\<\/script\>)'.
                 '(?P<if_closing_tag>\s*\<\![^[>]*?\[endif\][^>]*?\>)?'.
                 ')/is'; // Dot matches line breaks.

None of that is actually a PHP shell, or anything malicious. It looks like VaultPress is incorrectly detecting that code as a “shell” when in fact it’s not. (This is known as a ‘false positive’; you can let VaultPress know about the issue and hopefully they fix their next update so that it doesn’t detect ZenCache as being malicious.

Let me know if you have any other questions. 🙂