[OFFER ALERT!] This Halloween, Get Any Premium Theme for Just $19 [GET IT NOW]
Jump to content

[Schema] Critical Issue When Checking in themecheck.org


Go to solution Solved by Ben,

Recommended Posts

Hi, I loved your "Schema" theme by looking. So, I google for pirated copy to check code quality. But I got some issues with security and others.
Please check your theme here: http://themecheck.org/ you will get many critical issue. If you fix those issues so, I will buy this theme for sure. Please let me know will you fix those issue or not. If not so I find other theme.
Link to post
Share on other sites

Hello,

I checked the files in question and I can assure you that all the issues listed are false positives, none of them pose any risk.

1. You can see that ini_set() is only being used to try and extend the max_execution_time, to avoid timeout issues on some servers. There is nothing wrong with this usage.

2. & 3. While the base64_ functions may indicate obfuscated code (malware), they have numerous legitimate uses, and in this case, they are required by the Twitter API.

4. & 5. file_get_contents(), fopen() and fclose() are required for the demo importer to work correctly. curl_init() and curl_exec() are used by the Twitter API library. I'm not sure why these get simply flagged as "Malware" by the checker tool.

6. It is true that add_theme_page() is recommended for themes, however, the options it provides are limited, and there is no difference in performance or otherwise when compared with other similar functions, like add_menu_page().

Please note that the checker even flagged some commented out lines in the code, which never get executed and have no effect at all. This also shows that the tool checks themes in a rather basic and unsophisticated manner.

Hope that helps. If you have any question, please feel free to ask. Thank you.

Link to post
Share on other sites
  • Support

Hello,

Thank you for contacting MyThemeShop today and sorry for any inconvenience that might have been caused due to that.

When you check themes through the "themecheck.org" you are looking at random errors that the theme checker is not able to determine where they come from, so anything that it doesn't know about is classified as a "security issue".   It is not a good way to check a theme if you don't know what the errors are.  Our theme Schema has no security errors and is perfectly safe, there are hundreds of users using it and we had no reports of issues. However since you gotten a pirated copy of it, it is logical to assume that your copy might actually be pirated and contain unsafe code. That is why it is wiser to purchase the theme from us rather than obtaining pirated copies. Nothing is free, if someone is giving you a theme that is premium and they are giving it to you for free, you should be skeptical and ask yourself why they are giving it to you free. The way hackers spread code is by giving away free themes, you should not use those files, not even download them on your computer. Instead purchase the theme.

Looking forward to help you. Thank you.


🏁Rank #1 on Google With our WordPress SEO Plugin.

Score a 💯on PageSpeed and Dominate Search Rankings.

✏ Editing theme files? Please create a child theme to make your changes update-proof.

Link to post
Share on other sites

Hi, you told that

21 minutes ago, MistaPrime said:

When you check themes through the "themecheck.org" you are looking at random errors that the theme checker is not able to determine where they come from, so anything that it doesn't know about is classified as a "security issue".

 
Checker perfectly know where they come from. Check the list below. Also "themecheck.org" is good way to check WP theme. Can you assure me that listed below issues are not present in your theme?  
Critical alerts
line_content-home.png
  1. Security breaches : Modification of PHP server settings Found ini_set in file wordpress-importer.php.
    Line 108: ini_set('max_execution_time', -1);
    Line 134: ini_set('max_execution_time', $max_execution_time);
    Found ini_set in file wordpress-importer.php.
    Line 108: ini_set('max_execution_time', -1);
    Line 134: ini_set('max_execution_time', $max_execution_time);
  2. Security breaches : Use of base64_decode() Found base64_decode in file twitteroauth.php.
    Line 141: $decoded_sig = base64_decode($signature); // base64_encode() required by Twitter!
  3. Security breaches : Use of base64_encode() Found base64_encode in file twitteroauth.php.
     return base64_encode(hash_hmac('sha1', $base_string, $key, true)); // base64_encod
     return base64_encode($signature); // base64_encode() required by Twitter!
     $decoded_sig = base64_decode($signature); // base64_encode() required by Twitter!
  4. Malware : Operations on file system file_get_contents was found in the file parsers.php
    Line 68: $contents = file_get_contents( $file );
    Line 275: if ( ! xml_parse( $xml, file_get_contents( $file ), true ) ) {
    file_get_contents was found in the file parsers.php
    Line 68: $contents = file_get_contents( $file );
    Line 275: if ( ! xml_parse( $xml, file_get_contents( $file ), true ) ) {
    fopen was found in the file parsers.php
    Line 421: $fp = $this->fopen( $file, 'r' );
    Line 647: function fopen( $filename, $mode = 'r' ) {
    Line 650: return fopen( $filename, $mode );
    fclose was found in the file parsers.php
    Line 470: $this->fclose($fp);
    Line 665: function fclose( $fp ) {
    Line 668: return fclose( $fp );
    fopen was found in the file parsers.php
    Line 421: $fp = $this->fopen( $file, 'r' );
    Line 647: function fopen( $filename, $mode = 'r' ) {
    Line 650: return fopen( $filename, $mode );
    fopen was found in the file parsers.php
    Line 421: $fp = $this->fopen( $file, 'r' );
    Line 647: function fopen( $filename, $mode = 'r' ) {
    Line 650: return fopen( $filename, $mode );
    fclose was found in the file parsers.php
    Line 470: $this->fclose($fp);
    Line 665: function fclose( $fp ) {
    Line 668: return fclose( $fp );
    fclose was found in the file parsers.php
    Line 470: $this->fclose($fp);
    Line 665: function fclose( $fp ) {
    Line 668: return fclose( $fp );
    file_get_contents was found in the file radium-importer.php
    Line 293: $data = file_get_contents( $file );
    Line 384: $data = file_get_contents( $file );
    file_get_contents was found in the file radium-importer.php
    Line 293: $data = file_get_contents( $file );
    Line 384: $data = file_get_contents( $file );
    file_get_contents was found in the file parsers.php
    Line 68: $contents = file_get_contents( $file );
    Line 275: if ( ! xml_parse( $xml, file_get_contents( $file ), true ) ) {
    file_get_contents was found in the file parsers.php
    Line 68: $contents = file_get_contents( $file );
    Line 275: if ( ! xml_parse( $xml, file_get_contents( $file ), true ) ) {
    fopen was found in the file parsers.php
    Line 421: $fp = $this->fopen( $file, 'r' );
    Line 647: function fopen( $filename, $mode = 'r' ) {
    Line 650: return fopen( $filename, $mode );
    fclose was found in the file parsers.php
    Line 470: $this->fclose($fp);
    Line 665: function fclose( $fp ) {
    Line 668: return fclose( $fp );
    fopen was found in the file parsers.php
    Line 421: $fp = $this->fopen( $file, 'r' );
    Line 647: function fopen( $filename, $mode = 'r' ) {
    Line 650: return fopen( $filename, $mode );
    fopen was found in the file parsers.php
    Line 421: $fp = $this->fopen( $file, 'r' );
    Line 647: function fopen( $filename, $mode = 'r' ) {
    Line 650: return fopen( $filename, $mode );
    fclose was found in the file parsers.php
    Line 470: $this->fclose($fp);
    Line 665: function fclose( $fp ) {
    Line 668: return fclose( $fp );
    fclose was found in the file parsers.php
    Line 470: $this->fclose($fp);
    Line 665: function fclose( $fp ) {
    Line 668: return fclose( $fp );
    file_get_contents was found in the file radium-importer.php
    Line 292: $data = file_get_contents( $file );
    Line 369: $data = file_get_contents( $file );
    file_get_contents was found in the file radium-importer.php
    Line 292: $data = file_get_contents( $file );
    Line 369: $data = file_get_contents( $file );
    file_get_contents was found in the file plugin-activation.php
    Line 2416: $plugin = @json_decode( @file_get_contents( 'https://api.wordpress.org/plugins/info/1.0/' . $item['s
    file_get_contents was found in the file twitteroauth.php
    Line 201: //file_get_contents(self::$POST_INPUT)
  5. Malware : Network operations curl_init was found in the file twitteroauth.php
    Line 1008: $ci = curl_init();
    curl_exec was found in the file twitteroauth.php
    Line 1034: $response = curl_exec($ci);
  6. Admin menu : Themes should use add_theme_page() for adding admin pages. File theme-options.php :
    Line 112: //the list of available parent menus is available here: http://codex.wordpress.org/Function_Reference/add_submenu_page#Parameters
    File plugin-activation.php :
    Line 646: $this->page_hook = call_user_func( 'add_{$type}_page', $args['parent_slug'], $args['page_title'], $args['menu_t
    File plugin-activation.php :
    Line 3922: add_menu_page(
Link to post
Share on other sites
  • Solution

Hello,

I checked the files in question and I can assure you that all the issues listed are false positives, none of them pose any risk.

1. You can see that ini_set() is only being used to try and extend the max_execution_time, to avoid timeout issues on some servers. There is nothing wrong with this usage.

2. & 3. While the base64_ functions may indicate obfuscated code (malware), they have numerous legitimate uses, and in this case, they are required by the Twitter API.

4. & 5. file_get_contents(), fopen() and fclose() are required for the demo importer to work correctly. curl_init() and curl_exec() are used by the Twitter API library. I'm not sure why these get simply flagged as "Malware" by the checker tool.

6. It is true that add_theme_page() is recommended for themes, however, the options it provides are limited, and there is no difference in performance or otherwise when compared with other similar functions, like add_menu_page().

Please note that the checker even flagged some commented out lines in the code, which never get executed and have no effect at all. This also shows that the tool checks themes in a rather basic and unsophisticated manner.

Hope that helps. If you have any question, please feel free to ask. Thank you.

Link to post
Share on other sites
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...