Theme Authenticity Checker (TAC) - Version 1.3

Version Description

Download this release

Release Info

Developer builtBackwards
Plugin Icon wp plugin Theme Authenticity Checker (TAC)
Version 1.3
Comparing to
See all releases

Code changes from version 1.2 to 1.3

Files changed (3) hide show
  1. readme.txt +22 -14
  2. screenshot-1.jpg +0 -0
  3. tac.php +155 -41
readme.txt CHANGED
@@ -1,20 +1,24 @@
1
- === TAC (Theme Authentication Checker) ===
2
  Contributors: builtBackwards
3
  Donate link: http://builtbackwards.com/donate
4
  Tags: themes, security, javascript, admin
5
- Requires at least: 2.6
6
- Tested up to: 2.6
7
- Stable tag: 1.2
8
 
9
- Scan all of your theme files for potentially malicious or unwanted code.
10
 
11
  == Description ==
12
- = NOTICE: CURRENT VERSION 1.2 IS ONLY COMPATIBLE WITH WORDPRESS 2.6 =
 
 
 
 
 
 
13
 
14
- Don't worry, this release is only a band-aid to deal with a core function change in Wordpress 2.6.
15
- The next version will be backwards compatible to at least Wordpress 2.5 as well as working with 2.6
16
 
17
- [View CHANGELOG on Plugin Homepage](http://builtbackwards.com/projects/tac/ "View CHANGELOG on Plugin Homepage")
18
 
19
  TAC got its start when we repeatedly found obfuscated malicious code in free Wordpress themes available throughout the web. A quick way to scan a theme for undesirable code was needed, so we put together this plugin.
20
 
@@ -23,11 +27,12 @@ After Googling and exploring on our own we came upon the [article by Derek](http
23
 
24
  **What TAC Does**
25
 
26
- TAC stands for Theme Authentication Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If
27
  such code is found, TAC displays the path to the theme file, the line
28
- number, and a small snippet of the suspect code.
29
 
30
  Then what do you do? Just because the code is there doesn't mean it's not supposed to be or even qualifies as a threat, but most theme authors don't include code outside of the Wordpress scope and have no reason to obfuscate the code they make freely available to the web. We recommend contacting the theme author with the code that the script finds, as well as where you downloaded the theme.
 
31
 
32
  == Installation ==
33
 
@@ -37,6 +42,7 @@ After downloading and extracting the latest version of TAC:
37
  2. Activate the plugin through the 'Plugins' menu in WordPress
38
  3. Go to Design -> TAC in the Wordpress Admin
39
  4. The results of the scan will be displayed for each theme with the filename and line number of any threats.
 
40
 
41
  == Frequently Asked Questions ==
42
 
@@ -45,6 +51,10 @@ After downloading and extracting the latest version of TAC:
45
  Contact the theme's original author to double check if that section of code is supposed to be in the theme in the first place - chances are it shouldn't as there isn't a logical reason
46
  have base64 encoding in a theme.
47
 
 
 
 
 
48
  = What about future vulnerabilities? =
49
 
50
  As we find them we will add them to *TAC*. If you find one, PLEASE let us know: [Contact builtBackwards](http://builtbackwards.com/contact/ "Contact builtBackwards")
@@ -55,8 +65,6 @@ As we find them we will add them to *TAC*. If you find one, PLEASE let us know:
55
 
56
  = Closing Thoughts =
57
 
58
- We hope this helps out. Please enjoy being secure!
59
-
60
- Ciao!
61
 
62
  The builtBackwards Team
1
+ === TAC (Theme Authenticity Checker) ===
2
  Contributors: builtBackwards
3
  Donate link: http://builtbackwards.com/donate
4
  Tags: themes, security, javascript, admin
5
+ Requires at least: 2.2
6
+ Tested up to: 2.6.2
7
+ Stable tag: 1.3
8
 
9
+ *Scan all of your theme files for potentially malicious or unwanted code.*
10
 
11
  == Description ==
12
+ Scan all of your theme files for potentially malicious or unwanted code.
13
+
14
+ **NEW STUFF IN TAC 1.3** [CHANGELOG](http://builtbackwards.com/projects/tac/ "CHANGELOG")
15
+
16
+ * Compatible with WordPress 2.2 - 2.6.1
17
+ * **NEW!** Checks for embedded Static Links
18
+ * **NEW!** Direct links for editing suspicious files in the WordPress Theme Editor
19
 
 
 
20
 
21
+ **History**
22
 
23
  TAC got its start when we repeatedly found obfuscated malicious code in free Wordpress themes available throughout the web. A quick way to scan a theme for undesirable code was needed, so we put together this plugin.
24
 
27
 
28
  **What TAC Does**
29
 
30
+ TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If
31
  such code is found, TAC displays the path to the theme file, the line
32
+ number, and a small snippet of the suspect code. As of **v1.3** *TAC* also searches for and displays static links.
33
 
34
  Then what do you do? Just because the code is there doesn't mean it's not supposed to be or even qualifies as a threat, but most theme authors don't include code outside of the Wordpress scope and have no reason to obfuscate the code they make freely available to the web. We recommend contacting the theme author with the code that the script finds, as well as where you downloaded the theme.
35
+ But the real value of this Plugin is that you can quickly determine what and where code needs to be cleaned up.
36
 
37
  == Installation ==
38
 
42
  2. Activate the plugin through the 'Plugins' menu in WordPress
43
  3. Go to Design -> TAC in the Wordpress Admin
44
  4. The results of the scan will be displayed for each theme with the filename and line number of any threats.
45
+ 5. You can click on the path to the theme file to edit in the WordPress Theme Editor
46
 
47
  == Frequently Asked Questions ==
48
 
51
  Contact the theme's original author to double check if that section of code is supposed to be in the theme in the first place - chances are it shouldn't as there isn't a logical reason
52
  have base64 encoding in a theme.
53
 
54
+ Static Links aren't necessarily bad, *TAC* just lists them so you can see where your theme is linking to.
55
+
56
+ If something is malicious or simply unwanted, *TAC* tells you what file to edit, you can even just click on the file path to be taken straight to the WordPress Theme Editor.
57
+
58
  = What about future vulnerabilities? =
59
 
60
  As we find them we will add them to *TAC*. If you find one, PLEASE let us know: [Contact builtBackwards](http://builtbackwards.com/contact/ "Contact builtBackwards")
65
 
66
  = Closing Thoughts =
67
 
68
+ Do your part by developing clean GPL compatible themes!
 
 
69
 
70
  The builtBackwards Team
screenshot-1.jpg CHANGED
Binary file
tac.php CHANGED
@@ -1,10 +1,10 @@
1
  <?php
2
  /*
3
- Plugin Name: TAC (Theme Authentication Checker)
4
  Plugin URI: http://builtbackwards.com/projects/tac/
5
- Description: TAC scans all of your theme files for potentially malicious or unwanted code.
6
  Author: builtBackwards
7
- Version: 1.2
8
  Author URI: http://builtbackwards.com/
9
  */
10
 
@@ -26,29 +26,99 @@ Author URI: http://builtbackwards.com/
26
  */
27
 
28
  // Check the theme
29
- function check_theme($template_files) {
30
  foreach ($template_files as $tfile)
31
  {
32
- $lines = file(ABSPATH . 'wp-content' . $tfile, FILE_IGNORE_NEW_LINES);
 
 
 
 
 
 
 
33
  $line_index = 0;
34
  $is_first = true;
35
  foreach($lines as $this_line)
36
  {
37
- if (stristr ($this_line, "base64"))
38
  {
39
  if ($is_first) {
40
- $the_result .= "<strong>File:</strong> " . $tfile;
41
  $is_first = false;
42
  }
43
- $the_result .= "<div class=\"tacbad\"><strong>Line " . ($line_index+1) . ":</strong> \"" . trim(htmlspecialchars(substr(stristr($this_line, "base64"), 0, 85))) . "...\"</div>";
44
  }
45
  $line_index++;
46
  }
47
- }
48
- if (!isset($the_result)) {
49
- $the_result = "<div class=\"tacgood\">Theme Ok!</div>";
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
50
  }
51
- return $the_result;
 
52
  }
53
 
54
  function tac_page() {
@@ -56,7 +126,6 @@ function tac_page() {
56
  add_submenu_page('themes.php',__('TAC'), __('TAC'), '10', 'tac.php', 'tac');
57
  }
58
 
59
-
60
  function tac_init() {
61
  add_action('admin_menu', 'tac_page');
62
  }
@@ -67,84 +136,129 @@ function tac() {
67
  ?>
68
  <div class="wrap">
69
  <h2>
70
- <?php _e('TAC (Theme Authentication Checker)'); ?>
71
  </h2>
72
  <div class="pinfo">
73
- TAC checks themes to make sure they don't have any malicious code. For more info please go to the plugin page: <a href="http://builtbackwards.com/projects/tac/">http://builtbackwards.com/projects/tac/</a>
74
  </div>
75
  <?php
76
-
77
  $themes = get_themes();
78
-
79
- $style = '';
80
  $theme_names = array_keys($themes);
81
  natcasesort($theme_names);
82
  foreach ($theme_names as $theme_name) {
83
- $template_files = $themes[$theme_name]['Template Files'];
84
- $template = $themes[$theme_name]['Template'];
85
  $title = $themes[$theme_name]['Title'];
86
  $version = $themes[$theme_name]['Version'];
87
  $author = $themes[$theme_name]['Author'];
88
  $screenshot = $themes[$theme_name]['Screenshot'];
89
- $stylesheet_dir = "wp-content".$themes[$theme_name]['Stylesheet Dir'];
90
- ?>
91
  <div id="tacthemes">
92
  <?php if ( $screenshot ) : ?>
93
- <img src="<?php echo get_option('siteurl') . '/' . $stylesheet_dir . '/' . $screenshot; ?>" alt="" />
 
 
94
  <?php endif;
95
- ?>
96
- <h3>
97
- <?php echo "$template $version by $author"; ?>
98
- </h3>
99
- <?php echo check_theme($template_files); ?>
 
 
100
  </div>
101
  <?php
102
  }
103
  echo '</div>';
104
  }
105
 
106
- // CSS to format the list of themes checked
107
  function tac_css() {
108
  echo '
109
  <style type="text/css">
110
  <!--
111
- .tacbad {
112
- border: 1px solid #000;
113
- background: #FFC0CB;
114
- width: 80%;
115
- margin-left: 140px;
116
  font-family: "Courier New", Courier, monospace;
117
- margin-top: 8px;
118
- padding: 10px;
 
 
 
 
 
 
 
 
119
  }
120
 
121
- .tacgood {
122
  width: 90px;
123
  background: #3fc33f;
124
  font-size: 120%;
125
- margin: 10px 10px 10px 140px;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
126
  padding: 10px;
 
 
 
 
 
 
 
 
 
 
 
 
 
127
  }
128
 
129
  .pinfo {
130
  background: #DCDCDC;
131
  margin: 5px;
132
  padding: 5px;
 
133
  }
134
 
135
  #tacthemes {
136
- width: 100%;
137
  padding-bottom: 20px;
138
  border-bottom: 1px solid #ccc;
139
  margin: 10px;
140
  }
141
 
142
- #tacthemes img {
143
  float: left;
144
  width: 100px;
145
  height: 75px;
146
  border: 1px solid #000;
147
- margin: 10px 20px 10px 10px;
 
 
 
 
 
 
 
148
  }
149
  -->
150
  </style>
1
  <?php
2
  /*
3
+ Plugin Name: TAC (Theme Authenticity Checker)
4
  Plugin URI: http://builtbackwards.com/projects/tac/
5
+ Description: TAC scans all of your theme files for potentially malicious and unwanted code.
6
  Author: builtBackwards
7
+ Version: 1.3
8
  Author URI: http://builtbackwards.com/
9
  */
10
 
26
  */
27
 
28
  // Check the theme
29
+ function tac_check_theme($template_files, $theme_title) {
30
  foreach ($template_files as $tfile)
31
  {
32
+ /*
33
+ * Check for base64 Encoding
34
+ * Here we check every line of the file for base64 functions.
35
+ *
36
+ */
37
+
38
+ $lines = file($tfile, FILE_IGNORE_NEW_LINES); // Read the theme file into an array
39
+
40
  $line_index = 0;
41
  $is_first = true;
42
  foreach($lines as $this_line)
43
  {
44
+ if (stristr ($this_line, "base64")) // Check for any base64 functions
45
  {
46
  if ($is_first) {
47
+ $the_result .= tac_make_edit_link($tfile, $theme_title);
48
  $is_first = false;
49
  }
50
+ $the_result .= "<div class=\"tac-bad\"><strong>Line " . ($line_index+1) . ":</strong> \"" . trim(htmlspecialchars(substr(stristr($this_line, "base64"), 0, 45))) . "...\"</div>";
51
  }
52
  $line_index++;
53
  }
54
+
55
+ /*
56
+ * Check for Static Links
57
+ * Here we utilize a regex to find HTML static links in the file.
58
+ *
59
+ */
60
+
61
+ $file_string = file_get_contents($tfile);
62
+
63
+ $url_re='([[:alnum:]\-\.])+(\\.)([[:alnum:]]){2,4}([[:blank:][:alnum:]\/\+\=\%\&\_\\\.\~\?\-]*)';
64
+ $title_re='[[:blank:][:alnum:][:punct:]]*'; // 0 or more: any num, letter(upper/lower) or any punc symbol
65
+ $space_re='(\\s*)';
66
+
67
+ if (preg_match_all ("/(<a)(\\s+)(href".$space_re."=".$space_re."\"".$space_re."((http|https|ftp):\\/\\/)?)".$url_re."(\"".$space_re.$title_re.$space_re.">)".$title_re."(<\\/a>)/is", $file_string, $out, PREG_SET_ORDER))
68
+ {
69
+ $static_urls .= tac_make_edit_link($tfile, $theme_title);
70
+
71
+ foreach( $out as $key ) {
72
+ $static_urls .= "<div class=\"tac-ehh\">";
73
+ $static_urls .= htmlspecialchars($key[0]);
74
+ $static_urls .= "</div>";
75
+ }
76
+ }
77
+ } // End for each file in template loop
78
+
79
+ // Assemble the HTML results for the completed scan of the current theme
80
+ if (!isset($the_result) && !isset($static_urls)) {
81
+ return "<div class=\"tac-good-notice\">Theme Ok!</div>";
82
+ } else {
83
+ if(isset($the_result)) {
84
+ $final_string = "<div class=\"tac-bad-notice\">Encrypted Code Found!</div>".$the_result."";
85
+ } else {
86
+ $final_string = "<div class=\"tac-good-notice\">Theme Ok!</div>";
87
+ }
88
+ if(isset($static_urls)) {
89
+ $final_string .= "<div class=\"tac-ehh-notice\">Check these static link(s)...</div>".$static_urls;
90
+ }
91
+ return $final_string;
92
+ }
93
+ }
94
+
95
+
96
+ function tac_make_edit_link($tfile, $theme_title) {
97
+ // Assemble the HTML links for editing files with the built-in WP theme editor
98
+
99
+ if ($GLOBALS['wp_version'] >= "2.6") {
100
+ return "<div class=\"file-path\"><a href=\"theme-editor.php?file=/" . substr(stristr($tfile, "themes"), 0) . "&amp;theme=" . urlencode($theme_title) ."\">" . substr(stristr($tfile, "wp-content"), 0) ."</a></div>";
101
+ } else {
102
+ return "<div class=\"file-path\"><a href=\"theme-editor.php?file=" . substr(stristr($tfile, "wp-content"), 0) . "&amp;theme=" . urlencode($theme_title) ."\">" . substr(stristr($tfile, "wp-content"), 0) ."</a></div>";
103
+ }
104
+
105
+ }
106
+
107
+ function tac_get_template_files($template) {
108
+ // Scan through the template directory and add all php files to an array
109
+
110
+ $theme_root = get_theme_root();
111
+
112
+ $template_files = array();
113
+ $template_dir = @ dir("$theme_root/$template");
114
+ if ( $template_dir ) {
115
+ while(($file = $template_dir->read()) !== false) {
116
+ if ( !preg_match('|^\.+$|', $file) && preg_match('|\.php$|', $file) )
117
+ $template_files[] = "$theme_root/$template/$file";
118
+ }
119
  }
120
+
121
+ return $template_files;
122
  }
123
 
124
  function tac_page() {
126
  add_submenu_page('themes.php',__('TAC'), __('TAC'), '10', 'tac.php', 'tac');
127
  }
128
 
 
129
  function tac_init() {
130
  add_action('admin_menu', 'tac_page');
131
  }
136
  ?>
137
  <div class="wrap">
138
  <h2>
139
+ <?php _e('TAC (Theme Authenticity Checker)'); ?>
140
  </h2>
141
  <div class="pinfo">
142
+ TAC checks themes for malicious and potentially unwanted code.<br />For more info please go to the plugin page: <a href="http://builtbackwards.com/projects/tac/">http://builtbackwards.com/projects/tac/</a>
143
  </div>
144
  <?php
 
145
  $themes = get_themes();
 
 
146
  $theme_names = array_keys($themes);
147
  natcasesort($theme_names);
148
  foreach ($theme_names as $theme_name) {
149
+ $template_files = tac_get_template_files($themes[$theme_name]['Template']);
 
150
  $title = $themes[$theme_name]['Title'];
151
  $version = $themes[$theme_name]['Version'];
152
  $author = $themes[$theme_name]['Author'];
153
  $screenshot = $themes[$theme_name]['Screenshot'];
154
+ $stylesheet_dir = $themes[$theme_name]['Stylesheet Dir'];
155
+ ?>
156
  <div id="tacthemes">
157
  <?php if ( $screenshot ) : ?>
158
+ <img src="<?php echo get_option('siteurl') . '/wp-content' . str_replace('wp-content', '', $stylesheet_dir) . '/' . $screenshot; ?>" alt="" />
159
+ <?php else : ?>
160
+ <div class="tacnoimg">No Screenshot Found</div>
161
  <?php endif;
162
+ ?>
163
+ <div class="tacresults">
164
+ <h3>
165
+ <?php echo "$title $version by $author"; ?>
166
+ </h3>
167
+ <?php echo tac_check_theme($template_files, $title); ?>
168
+ </div>
169
  </div>
170
  <?php
171
  }
172
  echo '</div>';
173
  }
174
 
175
+ // CSS to format results of themes check
176
  function tac_css() {
177
  echo '
178
  <style type="text/css">
179
  <!--
180
+ .tac-bad, .tac-ehh {
181
+ border: 1px inset #000;
182
+ width: 90%;
183
+ margin-left: 10px;
 
184
  font-family: "Courier New", Courier, monospace;
185
+ padding: 5px;
186
+ margin-bottom: 10px;
187
+ }
188
+
189
+ .tac-bad {
190
+ background: #FFC0CB;
191
+ }
192
+
193
+ .tac-ehh {
194
+ background: #FFFEEB;
195
  }
196
 
197
+ .tac-good-notice {
198
  width: 90px;
199
  background: #3fc33f;
200
  font-size: 120%;
201
+ margin: 20px 10px 0px 0px;
202
+ padding: 10px;
203
+ border: 1px solid #000;
204
+ }
205
+
206
+ .tac-bad-notice {
207
+ width: 185px;
208
+ background: #FFC0CB;
209
+ font-size: 120%;
210
+ margin: 20px 10px 0px 0px;
211
+ padding: 10px;
212
+ border: 1px solid #000;
213
+ }
214
+
215
+ .tac-ehh-notice {
216
+ width: 215px;
217
+ background: #FFFEEB;
218
+ font-size: 120%;
219
+ margin: 20px 10px 0px 0px;
220
  padding: 10px;
221
+ border: 1px solid #ccc;
222
+ }
223
+
224
+ .file-path {
225
+ color: #666666;
226
+ text-align: right;
227
+ width: 92%;
228
+ font-size: 12px;
229
+ padding-top: 5px;
230
+ }
231
+
232
+ .file-path a {
233
+ text-decoration: none;
234
  }
235
 
236
  .pinfo {
237
  background: #DCDCDC;
238
  margin: 5px;
239
  padding: 5px;
240
+ margin-bottom: 40px;
241
  }
242
 
243
  #tacthemes {
 
244
  padding-bottom: 20px;
245
  border-bottom: 1px solid #ccc;
246
  margin: 10px;
247
  }
248
 
249
+ #tacthemes img, .tacnoimg {
250
  float: left;
251
  width: 100px;
252
  height: 75px;
253
  border: 1px solid #000;
254
+ margin: 10px 0px 10px 10px;
255
+ text-align: center;
256
+ font-size: 16px;
257
+ color: #DCDCDC;
258
+ }
259
+
260
+ .tacresults {
261
+ margin-left: 130px;
262
  }
263
  -->
264
  </style>