[Vtigercrm-developers] Issues and malwares - vtiger market place extension

Pabiszczak, Błażej b.pabiszczak at opensaas.pl
Wed Apr 29 08:21:51 GMT 2015 

Akcje wiadomościHTML
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#>
Text
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#>
   Odpowiedz nadawcy
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#>
 Odpowiedz wszystkim
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#>
 Prześlij dalej
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#>
   Otwórz w nowym oknie
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=show&_uid=15622&_mbox=INBOX>
Temat:Re: Fwd: Re: [Vtigercrm-developers] Issues and malwares - vtiger
market place extension
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#hide>
[image: Zdjęcie kontaktu]
OdKatarzyna Ulichnowska <k.ulichnowska at yetiforce.com>[image: Add contact]
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#add>
DoBłażej Pabiszczak <b.pabiszczak at yetiforce.com>[image: Add contact]
<https://opensaas.yetiforce.com/modules/OSSMail/roundcube/?_task=mail&_action=preview&_uid=15622&_mbox=INBOX&_framed=1&_caps=pdf%3D1%2Cflash%3D1%2Ctif%3D0#add>
DataDzisiaj 09:49
Treść wiadomości

Unfortunately, the use of VPN won’t help too much. In some cases it helps,
but modules such as vtDebug will still load something from the external
source and that affects security. Additionally, Vitiger sends data to its
server all the time, so a regular user is attacked from every side and
doesn’t know how to protect himself. Once we analyzed what Vtiger sends to
its server and we were shocked. Data that was gathered [and probably still
is) allowed to login to the system with an access key.

Vtiger, as well as other systems, should pass external security audits from
time to time because they are very prone and if something is noticed, it
should be fixed at once. Security is a process which is very expensive.

In the first place, you should suggest your customers that the server on
which their CRM works has no access to the Internet. ;)
---
Z poważaniem / Regards
Błażej Pabiszczak
M: +48.884999123
E: b.pabiszczak at opensaas.pl
------------------------------


-------- Wiadomość oryginalna --------
Temat:Re: [Vtigercrm-developers] Issues and malwares - vtiger market place
extensionData:2015-04-28 17:45Od:Sutharsan Jeganathan <ajstharsan at gmail.com>
Do:vtigercrm-developers at lists.vtigercrm.comOdpowiedź do:
vtigercrm-developers at lists.vtigercrm.com


HI Błażej

I was unable to go through as you have done. Great job and thank you very
much.

We are always suggesting our clients to put vtiger under a VPN, so this
kind of issues may not happen, but if there is a public access needed
better to use a secured vtiger client rather than directly exposing it.


Thanks
Sutharsan Jeganathan



On Tue, Apr 28, 2015 at 6:50 PM, Pabiszczak, Błażej <
b.pabiszczak at opensaas.pl> wrote:

> Hi
>
> We gave up on Vtiger because of the producer [because of its attitude in
> particular] and mainly because the producer didn't allow us to modify the
> system files and we couldn't influence the development of the system. We
> decided to take a different path because we didn't like the limitations
> that the marketplace was about to bring. After I received your email I was
> curious and installed the latest version of Vtiger 6.2 and vtDebug. What I
> noticed was way beyond my imagination:
>
> This module modifies the system files! [and it can be published in
> marketplace?]:
>
>    - include\database\PearDatabase.php
>    - includes\http\Response.php
>    - includes\runtime\Viewer.php
>    - libraries\Smarty\libs\Smarty.class.php
>    - config.inc.php
>    - log4php.properties
>    - config.performance.php
>
> After the installation of this module each person who isn't logged in to
> the CRM has access to:
>
>    - PHPInfo - modules/vtDebug/addins/phpinfo.php
>    - Log files - modules/vtDebug/vtDebugConsole.php
>    - The configuration file !?! - modules/vtDebug/vtDebugConsole.php
>
> What is worse, the module modifies permissions of files in logs and when a
> correct reading of htaccess [mod_rewrite?] isn't working all files are
> publicly available.
>
>    - logs/viewer-debug.log
>    - logs/config.inc.txt [?????????????????!!!!!!!!!!!!!??????????]
>    - logs/adblogfile.html
>
> This way, after the installation of this module we get access to the
> database client modules/vtDebug/addins/phpinfo.php with passwords from the
> configuration file.
>
> The module loads external websites and a user cannot control it!?!:
>
>    - http://intellectmatrix.biz/myenterprises/?page_id=38
>    - http://124.123.150.63:9090/myEntPMportal/login.php
>
> Once the module is uninstalled:
>
>    - There are still logs in the system that are publicly available for
>    everyone!
>    - Changes performed by the module on the system files remain.
>    - Links to existing elements remain – this causes errors in the system.
>
> Public access to:
>
>    - modules/vtDebug/addins/phpminiadmin.php !?!
>    - modules/vtDebug/addins/anywhereindb.php !?!
>
> Data downloaded from _REQUEST isn't filtered, e.g. any file can be
> downloaded: modules/vtDebug/consoleSupport.php?mode=download&filename=../config.inc.php
>
> We spent two hours to verify this module, what would be if we asked a
> company which looks for security gaps to analyze it?
>
> I'm curious, what is this code for:
>
> // A message to console
> $myvtDebugPhp->debug("Hello from vtDebug4PHP");
>
> // Outputting an array to console
> $cars = Array("BMW", "Mercedes", "Honda", "Toyota", "Bentley", "Skoda");
> $myvtDebugPhp->debug("Some famous cars brands", $cars);
>
> // Outputting an object to console
> $movie = new stdClass;
> $movie->name = "James Bond :: Skyfall";
> $movie->star = "Craig, Daniel";
> $movie->release = "2004";
> $movie->genre = "Action";
> $movie->producer = "United Artists";
> $movie->imdb_link = "http://www.imdb.com/title/tt1074638/";
> $myvtDebugPhp->debug("Object", $movie);
>
> I don't understand the point of encrypting the code if it can be easily
> decrypted in a few seconds. Maybe someone uses it so it isn't clearly seen
> that this module isn't written in a proper way [doesn't use smarts,
> includes files in a wrong way and doesn't declare classes properly].
>
> We don't consider ourselves as experts, but we are trying to write the
> code in the best way and using best practices. Everyone makes mistakes. We
> don't reproach anything the people who created the module because it's
> obvious that no one told them how to program according to MVC logic applied
> in Vtiger and it can be seen that they have just started programming [it's
> a pity that it's done at the expense of others].
>
> We are resentful that the producer allows to publish "something like that"
> in marketplace and what annoys us even more is the fact that this attitude
> influence that way companies perceive open source solutions! I'm afraid to
> look into other modules that are in the shop.
>
> We suggest you to disable this module in marketplace until its authors
> introduce necessary amendments.
>
>
> Z poważaniem / Regards
> Błażej Pabiszczak
> M: +48.884999123
> E: b.pabiszczak at opensaas.pl
>
> 2015-04-25 10:44 GMT+02:00 Sutharsan Jeganathan <ajstharsan at gmail.com>:
>
>> Hi
>>
>> I am not sure whether there were ongoing discussions  and/or actions on
>> this. I found few extensions published through vtiger market place are
>> malfunctioning with bugs. Example
>>
>> 1) One of my client purchased Labels 4 you (its4you) - When editing it
>> seems replacing language files from quote (') to double quote("), this
>> breaks the entire crm because of an error under language/Helpdesk.php.
>>
>> 2) vtdebug - It permanently adss a debug script under Smarty debug.tpl
>> and I was unable to remove it even by uninstalling extension.
>>
>> Anyway I believe the purchaser / users of extension through vtiger market
>> place should be provided with a minimum assurance of bug free functionality.
>>
>>
>> Thanks
>> Sutharsan Jeganathan
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/


_______________________________________________
http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150429/53a5c42b/attachment-0001.html>

More information about the vtigercrm-developers mailing list