Page 1 of 1

false positive P1410 and cmsmadesimple/coppermine etc.?

Posted: 28 Nov 2017, 08:53
by webk
Hi there,

we're getting a lot of alerts for exploit P1410 but the affected files seem to be a simple archive script included in a lot of apps like coppermine, joomla extensions, CMS Made Simple and so on. The apparently bad file is even included in official sources of the named products. I don't know if maybe some malware used partially the same code as the legitimate script and now all are matched to be an exploit?

Example files:
cmsmadesimple:
http://svn.cmsmadesimple.org/svn/cmsmad ... /untgz.php

b2evolution:
https://raw.githubusercontent.com/b2evo ... chives.php

coppermine:
https://github.com/coppermine-gallery/c ... rchive.php

Thank you very much for checking, I hope there is a quick fix or explanation.

- Sandro

Re: false positive P1410 and cmsmadesimple/coppermine etc.?

Posted: 28 Nov 2017, 08:57
by ForumAdmin
Just had a quick look - If you update as follows it should now be resolved:

Code: Select all

rm -fv /etc/cxs/new.fp
cxs -U

Re: false positive P1410 and cmsmadesimple/coppermine etc.?

Posted: 28 Nov 2017, 09:05
by webk
Thank you for your very quick reply!

I just tried that and uploaded one of the mentioned files but it still was matched as P1410. Just to be sure: I don't have to restart the service after the upgrade, right?

Re: false positive P1410 and cmsmadesimple/coppermine etc.?

Posted: 28 Nov 2017, 09:11
by webk
I did it again and now it works. No clue why I had to do it twice but thank you very much for your help! :-)