BASE64 usage in WPMUDEV Plugins i.e. autoblog

Hi Heroes

Why is WPMUDEV obfuscating code with BASE64?

Potential risk: High. Decode data encoded with MIME base64. May be used to obfuscating (hide) malicious code. Often paired with eval function to execute malicious code.

Kind regards
Andi

  • Ivan
    • Developer

    Hi Andi,

    Thank you for your feedback. First case is simply how Twitter OAuth works, when Twitter API responds some parts need to be decoded to be used.

    In second case I'm not familiar with specific plugin, but you'll notice that function used is decode, not encode, so we're not obfuscating anything, we're just using data provided from other sources.

    Base64 is useful in many cases, though sometimes it's marked as potential security issue, it's only relevant if plugin is from suspicious source. If user installs plugin found somewhere on the internet and uses some checker to see if it's safe for use than this would be legitimate concern.

  • Ivan
    • Developer

    Hi Andi

    Yeah that is the one, as I said it is a nice tool to have around if you are not sure about plugin source, people download stuff from all kinds of websites. As long as you are using legitimate source there is nothing to worry about regarding those specific warnings. I think that even that plugin mentions in some notice that if you trust plugin source you can disregard security warnings. Still it is a good practice to check and understand stuff you use to the best of your abilities. Thank you for your interest.

    Kind regards

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.