From b04ff8dd9020bf1ad5a20f25ced008228e1e1c3b Mon Sep 17 00:00:00 2001
From: Fariskhi Vidyan
Date: Sun, 9 Jul 2017 07:36:15 +0700
Subject: Add ob_start as dodgy php (#56)

Wonderful, thank you ♥---
 php-malware-finder/php.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 7cb0cf1..644419c 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -82,7 +82,7 @@ rule DodgyPhp
         $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
         $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase
 
-        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
+        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
         $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // functions that takes a callback as 2nd parameter
         $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
 
-- 
cgit v1.3