[Vtigercrm-developers] Issues and malwares - vtiger market place extension

Pabiszczak, Błażej b.pabiszczak at opensaas.pl
Tue Apr 28 13:20:33 GMT 2015


Hi

We gave up on Vtiger because of the producer [because of its attitude in
particular] and mainly because the producer didn’t allow us to modify the
system files and we couldn’t influence the development of the system. We
decided to take a different path because we didn’t like the limitations
that the marketplace was about to bring. After I received your email I was
curious and installed the latest version of Vtiger 6.2 and vtDebug. What I
noticed was way beyond my imagination:

This module modifies the system files! [and it can be published in
marketplace?]:

   - include\database\PearDatabase.php
   - includes\http\Response.php
   - includes\runtime\Viewer.php
   - libraries\Smarty\libs\Smarty.class.php
   - config.inc.php
   - log4php.properties
   - config.performance.php

After the installation of this module each person who isn’t logged in to
the CRM has access to:

   - PHPInfo - modules/vtDebug/addins/phpinfo.php
   - Log files - modules/vtDebug/vtDebugConsole.php
   - The configuration file !?! - modules/vtDebug/vtDebugConsole.php

What is worse, the module modifies permissions of files in logs and when a
correct reading of htaccess [mod_rewrite?] isn’t working all files are
publicly available.

   - logs/viewer-debug.log
   - logs/config.inc.txt [?????????????????!!!!!!!!!!!!!??????????]
   - logs/adblogfile.html

This way, after the installation of this module we get access to the
database client modules/vtDebug/addins/phpinfo.php with passwords from the
configuration file.

The module loads external websites and a user cannot control it!?!:

   - http://intellectmatrix.biz/myenterprises/?page_id=38
   - http://124.123.150.63:9090/myEntPMportal/login.php

Once the module is uninstalled:

   - There are still logs in the system that are publicly available for
   everyone!
   - Changes performed by the module on the system files remain.
   - Links to existing elements remain – this causes errors in the system.

Public access to:

   - modules/vtDebug/addins/phpminiadmin.php !?!
   - modules/vtDebug/addins/anywhereindb.php !?!

Data downloaded from _REQUEST isn’t filtered, e.g. any file can be
downloaded: modules/vtDebug/consoleSupport.php?mode=download&filename=../config.inc.php

We spent two hours to verify this module, what would be if we asked a
company which looks for security gaps to analyze it?

I’m curious, what is this code for:

// A message to console
$myvtDebugPhp->debug("Hello from vtDebug4PHP");

// Outputting an array to console
$cars = Array("BMW", "Mercedes", "Honda", "Toyota", "Bentley", "Skoda");
$myvtDebugPhp->debug("Some famous cars brands", $cars);

// Outputting an object to console
$movie = new stdClass;
$movie->name = "James Bond :: Skyfall";
$movie->star = "Craig, Daniel";
$movie->release = "2004";
$movie->genre = "Action";
$movie->producer = "United Artists";
$movie->imdb_link = "http://www.imdb.com/title/tt1074638/";
$myvtDebugPhp->debug("Object", $movie);

I don’t understand the point of encrypting the code if it can be easily
decrypted in a few seconds. Maybe someone uses it so it isn’t clearly seen
that this module isn’t written in a proper way [doesn’t use smarts,
includes files in a wrong way and doesn’t declare classes properly].

We don’t consider ourselves as experts, but we are trying to write the code
in the best way and using best practices. Everyone makes mistakes. We don’t
reproach anything the people who created the module because it’s obvious
that no one told them how to program according to MVC logic applied in
Vtiger and it can be seen that they have just started programming [it’s a
pity that it’s done at the expense of others].

We are resentful that the producer allows to publish “something like that”
in marketplace and what annoys us even more is the fact that this attitude
influence that way companies perceive open source solutions! I’m afraid to
look into other modules that are in the shop.

We suggest you to disable this module in marketplace until its authors
introduce necessary amendments.


Z poważaniem / Regards
Błażej Pabiszczak
M: +48.884999123
E: b.pabiszczak at opensaas.pl

2015-04-25 10:44 GMT+02:00 Sutharsan Jeganathan <ajstharsan at gmail.com>:

> Hi
>
> I am not sure whether there were ongoing discussions  and/or actions on
> this. I found few extensions published through vtiger market place are
> malfunctioning with bugs. Example
>
> 1) One of my client purchased Labels 4 you (its4you) - When editing it
> seems replacing language files from quote (') to double quote("), this
> breaks the entire crm because of an error under language/Helpdesk.php.
>
> 2) vtdebug - It permanently adss a debug script under Smarty debug.tpl and
> I was unable to remove it even by uninstalling extension.
>
> Anyway I believe the purchaser / users of extension through vtiger market
> place should be provided with a minimum assurance of bug free functionality.
>
>
> Thanks
> Sutharsan Jeganathan
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150428/4ed2d8a7/attachment-0001.html>


More information about the vtigercrm-developers mailing list