[Vtigercrm-developers] Issues and malwares - vtiger market place extension

Uma S uma.s at vtiger.com
Tue Apr 28 13:46:14 GMT 2015 

Hi,

Thanks! for your detail explanation on the issue you are facing.

We apologize for the inconsistency caused, will review this extension more
closely and get back with an update soon.

On Tue, Apr 28, 2015 at 6:50 PM, Pabiszczak, Błażej <
b.pabiszczak at opensaas.pl> wrote:

> Hi
>
> We gave up on Vtiger because of the producer [because of its attitude in
> particular] and mainly because the producer didn’t allow us to modify the
> system files and we couldn’t influence the development of the system. We
> decided to take a different path because we didn’t like the limitations
> that the marketplace was about to bring. After I received your email I was
> curious and installed the latest version of Vtiger 6.2 and vtDebug. What I
> noticed was way beyond my imagination:
>
> This module modifies the system files! [and it can be published in
> marketplace?]:
>
>    - include\database\PearDatabase.php
>    - includes\http\Response.php
>    - includes\runtime\Viewer.php
>    - libraries\Smarty\libs\Smarty.class.php
>    - config.inc.php
>    - log4php.properties
>    - config.performance.php
>
> After the installation of this module each person who isn’t logged in to
> the CRM has access to:
>
>    - PHPInfo - modules/vtDebug/addins/phpinfo.php
>    - Log files - modules/vtDebug/vtDebugConsole.php
>    - The configuration file !?! - modules/vtDebug/vtDebugConsole.php
>
> What is worse, the module modifies permissions of files in logs and when a
> correct reading of htaccess [mod_rewrite?] isn’t working all files are
> publicly available.
>
>    - logs/viewer-debug.log
>    - logs/config.inc.txt [?????????????????!!!!!!!!!!!!!??????????]
>    - logs/adblogfile.html
>
> This way, after the installation of this module we get access to the
> database client modules/vtDebug/addins/phpinfo.php with passwords from the
> configuration file.
>
> The module loads external websites and a user cannot control it!?!:
>
>    - http://intellectmatrix.biz/myenterprises/?page_id=38
>    - http://124.123.150.63:9090/myEntPMportal/login.php
>
> Once the module is uninstalled:
>
>    - There are still logs in the system that are publicly available for
>    everyone!
>    - Changes performed by the module on the system files remain.
>    - Links to existing elements remain – this causes errors in the system.
>
> Public access to:
>
>    - modules/vtDebug/addins/phpminiadmin.php !?!
>    - modules/vtDebug/addins/anywhereindb.php !?!
>
> Data downloaded from _REQUEST isn’t filtered, e.g. any file can be
> downloaded: modules/vtDebug/consoleSupport.php?mode=download&filename=../config.inc.php
>
> We spent two hours to verify this module, what would be if we asked a
> company which looks for security gaps to analyze it?
>
> I’m curious, what is this code for:
>
> // A message to console
> $myvtDebugPhp->debug("Hello from vtDebug4PHP");
>
> // Outputting an array to console
> $cars = Array("BMW", "Mercedes", "Honda", "Toyota", "Bentley", "Skoda");
> $myvtDebugPhp->debug("Some famous cars brands", $cars);
>
> // Outputting an object to console
> $movie = new stdClass;
> $movie->name = "James Bond :: Skyfall";
> $movie->star = "Craig, Daniel";
> $movie->release = "2004";
> $movie->genre = "Action";
> $movie->producer = "United Artists";
> $movie->imdb_link = "http://www.imdb.com/title/tt1074638/";
> $myvtDebugPhp->debug("Object", $movie);
>
> I don’t understand the point of encrypting the code if it can be easily
> decrypted in a few seconds. Maybe someone uses it so it isn’t clearly seen
> that this module isn’t written in a proper way [doesn’t use smarts,
> includes files in a wrong way and doesn’t declare classes properly].
>
> We don’t consider ourselves as experts, but we are trying to write the
> code in the best way and using best practices. Everyone makes mistakes. We
> don’t reproach anything the people who created the module because it’s
> obvious that no one told them how to program according to MVC logic applied
> in Vtiger and it can be seen that they have just started programming [it’s
> a pity that it’s done at the expense of others].
>
> We are resentful that the producer allows to publish “something like that”
> in marketplace and what annoys us even more is the fact that this attitude
> influence that way companies perceive open source solutions! I’m afraid to
> look into other modules that are in the shop.
>
> We suggest you to disable this module in marketplace until its authors
> introduce necessary amendments.
>
>
> Z poważaniem / Regards
> Błażej Pabiszczak
> M: +48.884999123
> E: b.pabiszczak at opensaas.pl
>
> 2015-04-25 10:44 GMT+02:00 Sutharsan Jeganathan <ajstharsan at gmail.com>:
>
>> Hi
>>
>> I am not sure whether there were ongoing discussions  and/or actions on
>> this. I found few extensions published through vtiger market place are
>> malfunctioning with bugs. Example
>>
>> 1) One of my client purchased Labels 4 you (its4you) - When editing it
>> seems replacing language files from quote (') to double quote("), this
>> breaks the entire crm because of an error under language/Helpdesk.php.
>>
>> 2) vtdebug - It permanently adss a debug script under Smarty debug.tpl
>> and I was unable to remove it even by uninstalling extension.
>>
>> Anyway I believe the purchaser / users of extension through vtiger market
>> place should be provided with a minimum assurance of bug free functionality.
>>
>>
>> Thanks
>> Sutharsan Jeganathan
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150428/ba127869/attachment.html>

More information about the vtigercrm-developers mailing list