I'm trying to locate and sanitize a compromized C5 site and in the process looked for the combo of eval() and unescape(). I found loads of occurences. My ISP would LOVE to shut eval off altogether.
Is this code legit, or have I found a bunch of exploit code?
From a search of the codebase, I believe the only place you'll see eval() used is in Javascript contexts, and not a PHP call of eval().
Where I found eval calls in php files, it was only in cases where it is generating Javascript to output.
Then when it is used in a Javascript context, it should be pretty clear that it's normal code, i.e., it's still readable and appears to do something simple.
So I'm pretty certain eval can be turned off by your host.
If you are finding actual PHP calls to eval, that's going to be dodgy code, the same if find eval code in Javascript with a whole bunch of nonsense code. Often those kind of javascript injections are tacked on at the bottom of files (sometimes with a lot of whitespace around them).
I've only had to clean up one concrete5 site for someone* - the best thing to do here I believe is to just fully replace the /concrete folder with a fresh one, matching the version you need, and to carefully check the remaining files. Luckily concrete5 has a fairly clean folder structure.
Exploits often target common files such as index.php, index.html, .htaccess files, so check those as well.
* - (wasn't concrete5's fault, another app in the same webspace had the exploit!)
Code
Post Reply
Delete Post
You are allowed to delete your post for 5 minutes after it's posted.
Where I found eval calls in php files, it was only in cases where it is generating Javascript to output.
Then when it is used in a Javascript context, it should be pretty clear that it's normal code, i.e., it's still readable and appears to do something simple.
So I'm pretty certain eval can be turned off by your host.
If you are finding actual PHP calls to eval, that's going to be dodgy code, the same if find eval code in Javascript with a whole bunch of nonsense code. Often those kind of javascript injections are tacked on at the bottom of files (sometimes with a lot of whitespace around them).
I've only had to clean up one concrete5 site for someone* - the best thing to do here I believe is to just fully replace the /concrete folder with a fresh one, matching the version you need, and to carefully check the remaining files. Luckily concrete5 has a fairly clean folder structure.
Exploits often target common files such as index.php, index.html, .htaccess files, so check those as well.
* - (wasn't concrete5's fault, another app in the same webspace had the exploit!)