[Vtigercrm-developers] Issues and malwares - vtiger market place extension

Sutharsan Jeganathan ajstharsan at gmail.com
Tue Apr 28 15:45:31 GMT 2015


HI Błażej

I was unable to go through as you have done. Great job and thank you very
much.

We are always suggesting our clients to put vtiger under a VPN, so this
kind of issues may not happen, but if there is a public access needed
better to use a secured vtiger client rather than directly exposing it.


Thanks
Sutharsan Jeganathan



On Tue, Apr 28, 2015 at 6:50 PM, Pabiszczak, Błażej <
b.pabiszczak at opensaas.pl> wrote:

> Hi
>
> We gave up on Vtiger because of the producer [because of its attitude in
> particular] and mainly because the producer didn’t allow us to modify the
> system files and we couldn’t influence the development of the system. We
> decided to take a different path because we didn’t like the limitations
> that the marketplace was about to bring. After I received your email I was
> curious and installed the latest version of Vtiger 6.2 and vtDebug. What I
> noticed was way beyond my imagination:
>
> This module modifies the system files! [and it can be published in
> marketplace?]:
>
>    - include\database\PearDatabase.php
>    - includes\http\Response.php
>    - includes\runtime\Viewer.php
>    - libraries\Smarty\libs\Smarty.class.php
>    - config.inc.php
>    - log4php.properties
>    - config.performance.php
>
> After the installation of this module each person who isn’t logged in to
> the CRM has access to:
>
>    - PHPInfo - modules/vtDebug/addins/phpinfo.php
>    - Log files - modules/vtDebug/vtDebugConsole.php
>    - The configuration file !?! - modules/vtDebug/vtDebugConsole.php
>
> What is worse, the module modifies permissions of files in logs and when a
> correct reading of htaccess [mod_rewrite?] isn’t working all files are
> publicly available.
>
>    - logs/viewer-debug.log
>    - logs/config.inc.txt [?????????????????!!!!!!!!!!!!!??????????]
>    - logs/adblogfile.html
>
> This way, after the installation of this module we get access to the
> database client modules/vtDebug/addins/phpinfo.php with passwords from the
> configuration file.
>
> The module loads external websites and a user cannot control it!?!:
>
>    - http://intellectmatrix.biz/myenterprises/?page_id=38
>    - http://124.123.150.63:9090/myEntPMportal/login.php
>
> Once the module is uninstalled:
>
>    - There are still logs in the system that are publicly available for
>    everyone!
>    - Changes performed by the module on the system files remain.
>    - Links to existing elements remain – this causes errors in the system.
>
> Public access to:
>
>    - modules/vtDebug/addins/phpminiadmin.php !?!
>    - modules/vtDebug/addins/anywhereindb.php !?!
>
> Data downloaded from _REQUEST isn’t filtered, e.g. any file can be
> downloaded: modules/vtDebug/consoleSupport.php?mode=download&filename=../config.inc.php
>
> We spent two hours to verify this module, what would be if we asked a
> company which looks for security gaps to analyze it?
>
> I’m curious, what is this code for:
>
> // A message to console
> $myvtDebugPhp->debug("Hello from vtDebug4PHP");
>
> // Outputting an array to console
> $cars = Array("BMW", "Mercedes", "Honda", "Toyota", "Bentley", "Skoda");
> $myvtDebugPhp->debug("Some famous cars brands", $cars);
>
> // Outputting an object to console
> $movie = new stdClass;
> $movie->name = "James Bond :: Skyfall";
> $movie->star = "Craig, Daniel";
> $movie->release = "2004";
> $movie->genre = "Action";
> $movie->producer = "United Artists";
> $movie->imdb_link = "http://www.imdb.com/title/tt1074638/";
> $myvtDebugPhp->debug("Object", $movie);
>
> I don’t understand the point of encrypting the code if it can be easily
> decrypted in a few seconds. Maybe someone uses it so it isn’t clearly seen
> that this module isn’t written in a proper way [doesn’t use smarts,
> includes files in a wrong way and doesn’t declare classes properly].
>
> We don’t consider ourselves as experts, but we are trying to write the
> code in the best way and using best practices. Everyone makes mistakes. We
> don’t reproach anything the people who created the module because it’s
> obvious that no one told them how to program according to MVC logic applied
> in Vtiger and it can be seen that they have just started programming [it’s
> a pity that it’s done at the expense of others].
>
> We are resentful that the producer allows to publish “something like that”
> in marketplace and what annoys us even more is the fact that this attitude
> influence that way companies perceive open source solutions! I’m afraid to
> look into other modules that are in the shop.
>
> We suggest you to disable this module in marketplace until its authors
> introduce necessary amendments.
>
>
> Z poważaniem / Regards
> Błażej Pabiszczak
> M: +48.884999123
> E: b.pabiszczak at opensaas.pl
>
> 2015-04-25 10:44 GMT+02:00 Sutharsan Jeganathan <ajstharsan at gmail.com>:
>
>> Hi
>>
>> I am not sure whether there were ongoing discussions  and/or actions on
>> this. I found few extensions published through vtiger market place are
>> malfunctioning with bugs. Example
>>
>> 1) One of my client purchased Labels 4 you (its4you) - When editing it
>> seems replacing language files from quote (') to double quote("), this
>> breaks the entire crm because of an error under language/Helpdesk.php.
>>
>> 2) vtdebug - It permanently adss a debug script under Smarty debug.tpl
>> and I was unable to remove it even by uninstalling extension.
>>
>> Anyway I believe the purchaser / users of extension through vtiger market
>> place should be provided with a minimum assurance of bug free functionality.
>>
>>
>> Thanks
>> Sutharsan Jeganathan
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150428/1cdfd94e/attachment-0001.html>


More information about the vtigercrm-developers mailing list