Support » Plugin: WooCommerce PDF Invoices & Packing Slips » WP Cerber is marking files as potential threats

  • Resolved lightray3912

    (@lightray3912)


    Hi support,

    WP Cerber security plugin integrity scan is marking all font files in uploads/wpo_wwcpdf as threats due to it being embeded as an executional files.

    example:
    /uploads/wpo_wcpdf/fonts/OpenSans-Bold.ufm.php

    Are these safe?

    Thanks,

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author Ewout

    (@pomegranate)

    Yes, these are harmless. You can see the source of this file here:
    https://github.com/wpovernight/woocommerce-pdf-invoices-packing-slips/blob/master/vendor/dompdf/dompdf/lib/fonts/OpenSans-Bold.ufm.php

    As you can see, this php file takes no arguments and simply returns an array with information about the font metrics (and it doesn’t display anything so this has no effect on the frontend). This holds true for all the php files in the fonts folder.

    But don’t trust me – I recommend double checking with an independent source too (for example WP Cerber).

    I’d recommend placing those PHP files in the plugin’s folder. The WordPress uploads folder is for media files, not code ones.

    Plugin Author Ewout

    (@pomegranate)

    Hello Gioni,
    Thanks for the suggestion.
    These are files that are generated on the fly, and site specific. If I place them in the plugin folder, they would be overwritten by plugin updates. The uploads folder is used for much more than just media files, it’s the part of WordPress that is writable by plugins and is therefor also used for other temporary and/or site/config specific files (not just by my plugin).

    Generating and spreading executable files on the fly is a bad practice. There are no excuses for such a lazy approach. Even for such a good plugin. Storing executable files among pictures and documents creates a mess that leads to security issues if a website is managed by an inexperienced user or if a web server is misconfigured. Today those files are harmless, tomorrow they are infected with malware and people have no idea what to do about it. Site specific things should be stored in the site DB or generated on the fly.

    • This reply was modified 3 years, 4 months ago by Gregory.
    Plugin Author Ewout

    (@pomegranate)

    I don’t think executable files in the uploads folder are any more dangerous than executable files in the plugins folder, both are directly accessible for outsiders. The PHP files in question (which don’t execute any functions and have no input or output) are not stored among pictures and documents but in their own, separate temp folder used only for this plugin, which is additionally protected with a .htaccess (for Apache & nginx) and index.php (for IIS).
    If you have any suggestions for better locations for temporary files that is writable, safe from updates and more secure than the wp-content subfolders, I’m definitely open to it.
    I assume WP Cerber uses heuristics to detect potential malware inside the plugins folder too, are those heuristics also applied to these php files found in the uploads folder?

    Just a bit of background: These files are generated by a third party library that processes fonts into a format that is usable for inclusion in a PDF. Storing PHP files in the DB sounds like a recipe for disaster to me, aside from the fact that this would make the maintenance of the library (which would then need to be forked) higher which is just as much a security risk.

    For pro users there’s a filter that lets them set an alternative path for these temp files, outside of the site root (wpo_wcpdf_tmp_path).

    It’d be great if together we can come up with a solution that keeps both PDF Invoices & WP Cerber happy!

    It’s not just WP Cerber! These .php scripts have shown up twice as false positives on my server scans. They dont like them.
    I’m not a pro at php scripts or anything. But…
    Can’t you add something that scans for any malicious changes in the php and alerts if hacked?
    Will the plugin still work if I delete or paralyse these phps?
    I mean, pdf invoices hold confidentail client info and are thus prime targets for hackers. The security should be double locked here.
    I’ve been using your plugin for year now and am happy with it. Thanks.

    PS. it’s not just the php in the uploads that cause false postives but these too:

    public_html/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/includes/views/dompdf-status.php –
    ./public_html/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/vendor/dompdf/dompdf/lib/fonts/Segoe-Bold.ufm.php
    ./public_html/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/vendor/dompdf/dompdf/lib/fonts/Segoe-Normal.ufm.php

    Plugin Author Ewout

    (@pomegranate)

    @denisdenis what exactly do you mean by ‘paralyse these phps’? They’re already paralysed in the sense that they do not return or display any information, and these are font files so not at all related to the actual PDF files. As I mentioned in my response above, modifying these files is just as easy (or difficult) for a hacker as it is for modifying files in the plugins folder – they are both publically accessible folders. You (or any security related plugin) should monitor them both equally. I use WordFence for most of my projects and it always alerts me when files are modified (regardless of their location and filetype)

    public_html/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/includes/views/dompdf-status.php –
    ./public_html/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/vendor/dompdf/dompdf/lib/fonts/Segoe-Bold.ufm.php
    ./public_html/wp-content/plugins/woocommerce-pdf-invoices-packing-slips/vendor/dompdf/dompdf/lib/fonts/Segoe-Normal.ufm.php

    What does it say about these files? Which plugin do you use for scanning?
    Especially the dompdf-status.php surprises me – if there’s anything in there that triggers this I may be able to fix that because that’s actually a core plugin file. The other two are font files.

    • This reply was modified 3 years, 2 months ago by Ewout.

    Thanks for your patience with quasi non-techies such as myself.
    These wre the results from my hosting company, so I dont know what scanning they used.
    I use WordFence as well. And these files didint show up.
    Should i be worried about the result ? – dompdf-status.php
    Thanks

    Plugin Author Ewout

    (@pomegranate)

    I don’t think you should be worried, but then again I’m the creator of the plugin so I may have a blind spot (if I had seen issues I would have fixed them). If your host can tell you what issues they found with that particular file, I’d gladly look into this.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘WP Cerber is marking files as potential threats’ is closed to new replies.