Add a '${${' rule

author: jvoisin 2016-12-08 13:46:29 +0100
committer: jvoisin 2016-12-08 13:46:29 +0100
commit: ad4467dabd8ebfd1c87bf6aa2aa0f0b18ecdd536 (patch)
tree: 4cba8f4eae0468dcb3b9ae5f27ee9a4b20daddbf
parent: 45cb4e3de8e676fa98f1d87bcfdeba3ab19ce1f9 (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 2ac9027..8a08308 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -96,6 +96,7 @@ rule DodgyPhp
        $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
        $at_eval = /@eval\s*\(/ nocase
+        $double_var = /\${\s*\${/
    condition:
        (any of them) and not IsWhitelisted
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 4f1c765..d362a14 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -91,6 +91,7 @@ run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
 run_test real/sucuri_2014_04.php '0x67:$execution3:'
 run_test real/novahot.php 'DodgyStrings'
 run_test real/guidtz.php '0x12d8:$non_printables:'
+run_test real/ice.php 'double_var'
 # Asp files
 run_test_asp classic/cmdasp.asp 'DodgyStrings'
author	jvoisin	2016-12-08 13:46:29 +0100
committer	jvoisin	2016-12-08 13:46:29 +0100
commit	ad4467dabd8ebfd1c87bf6aa2aa0f0b18ecdd536 (patch)
tree	4cba8f4eae0468dcb3b9ae5f27ee9a4b20daddbf
parent	45cb4e3de8e676fa98f1d87bcfdeba3ab19ce1f9 (diff)