salesagility / SuiteCRM

SuiteCRM - Open source CRM for the world
https://www.suitecrm.com
GNU Affero General Public License v3.0
4.49k stars 2.09k forks source link

Insideview banner advertisement popping out #8752

Open francescor opened 4 years ago

francescor commented 4 years ago

We just notices an advertisement while surfing our private hosted SuiteCRM installation.

The advert promote: http://www.insideview.com where at the terms of use at http://www.insideview.com/cat-terms-use.html I read something very serious (and bad):

"You hereby grant InsideView a non-exclusive, royalty-free, worldwide license to use the Customer Data as may be reasonable or necessary for InsideView to provide the Services to You."

The advert is at center of a page while viewing a customer (our customer!) data, and the banner says: if click you agree (!!)

we are willing to send you the screenshot if you want.

SuiteCRM Version 7.11.13, with data imported from Sugar Version 6.5.25 (Build 344), on brand new linux Centos 7, php 7.4

francescor commented 4 years ago

This is the HTML code that produce the banner

          <a href="#" onclick="hideSubPanel('insideview');document.getElementById('hide_link_insideview').style.display='none';document.getElementById('show_link_insideview').style.display='';return false;"></a>
          <div style="width: 100%; float: left; padding: 10px 0px 20px 0pt;">
            <a target="_blank" href="http://community.insideview.com/t5/Getting-Started/Find-Opportunities-to-Reach-Out-to-Customers/ta-p/1133" style="float: left; width: 230px;display:block;text-decoration:none;">
                <img title="Find Opportunities" src="https://my.insideview.com/iv/common/ruby/images/sugarembed-img1.png" style="float: left;border:0 solid;">
                <div style="float: left; padding-top: 11px; width: 150px;">
                    <span style="color: #990000; float: left; font-family: arial; font-size: 14px; font-weight: bold;">Find Opportunities</span>
                    <span style="font-size: 10px; font-weight: bold; font-family: arial; color: #333333;float: left;">to reach out to customers</span>
                </div>
            </a>
            <a target="_blank" href="http://community.insideview.com/t5/Getting-Started/Get-Referrals-to-Key-Decision-Makers/ta-p/1141" style="float: left; width: 230px;display:block;text-decoration:none;">
                <img title="Get Referrals" src="https://my.insideview.com/iv/common/ruby/images/sugarembed-img2.png" style="float: left;border:0 solid;">
                <div style="float: left; padding-top: 11px; padding-left: 10px;width: 150px;">
                    <span style="color: #990000; float: left; font-family: arial; font-size: 14px; font-weight: bold;">Get Referrals</span>
                    <span style="font-size: 10px; font-weight: bold; font-family: arial; color: #333333;float: left;">to key decision makers</span>
                </div>
            </a>
            <a target="_blank" href="http://community.insideview.com/t5/Getting-Started/Engage-Prospects-and-Customers/ta-p/1127" style="float: left; width: 230px;display:block;text-decoration:none;">
                <img title="Engage Customers" src="https://my.insideview.com/iv/common/ruby/images/sugarembed-img3.png" style="float: left;border:0 solid;">
                <div style="float: left; padding-top: 11px; padding-left: 10px;width: 140px;">
                    <span style="color: #990000; float: left; font-family: arial; font-size: 14px; font-weight: bold;">Engage Customers</span>
                    <span style="font-size: 10px; font-weight: bold; font-family: arial; color: #333333;float: left;">with conversation starters</span>
                </div>
            </a>
          </div>
          <hr style="border-color: rgb(238, 238, 238); background-color: rgb(238, 238, 238); width: 100%;">
          <form>
              <input type="checkbox" class="checkbox" name="insideview_accept_box" id="insideview_accept_box" style="display: none;" onclick="toggleGettingStartedButton();">
              <div style="float:left;padding:0 0 10px 0">
                    <div style="font-size: 11px; float:left;margin: 5px 15px 0px 150px;">
                        By clicking "Get Started" you agree to InsideView's&nbsp;<a href="http://www.insideview.com/cat-terms-use.html" target="_blank" style="color:#0099CC;text-decoration: none; font-size: 11px;">Terms of Use</a>&nbsp;and&nbsp;<a style="color:#0099CC;text-decoration: none; font-size: 11px;" target="_blank" href="http://www.insideview.com/cat-privacy.html">Privacy Policy</a>.
                    </div>
                    <div onclick="allowInsideView(); return false;" name="insideview_accept_button" id="insideview_accept_button" style="float:right;height: 30px; background-image: url('https://my.insideview.com/iv/common/ruby/images/sugarembed-button.png');font-weight: bold; width: 113px; font-size: 14px;cursor:pointer;">
                        <div style="float:left;margin:7px 0 0 18px;color:#ffffff;">Get Started!</div>
                    </div>
              </div>
          </form>
          <div class="clear"></div>

please note that, even the cited privacy banner lead to a non existing page!

pgorod commented 4 years ago

This just means that your server got hacked, or your browser has a bad add-on installed... not a SuiteCRM issue.

pgorod commented 4 years ago

I see they have a SugarCRM plugin called InsideView, maybe it works also with SuiteCRM and you installed it? Check your Admin / Module Loader page.

francescor commented 4 years ago

Here the screenshot Screenshot from 2020-06-05 18-15-51

francescor commented 4 years ago

I can probably disable the whole "InsideView" advert in here?

Screenshot from 2020-06-05 18-45-12

can I ?

pgorod commented 4 years ago

That seems to be a legitimate software, that somebody installed on your server. You should determine what it does, before removing it. You probably paid for it.

You can also contact the makers of that software and ask them about the annoying ad. I assume they thought it was a good idea to get that permission, for GDPR reasons (or similar).

pgorod commented 4 years ago

Please close this Issue here, it's really not a SuiteCRM problem.

We can keep discussing this in comments even after the Issue is closed, if you need more help. Thanks

francescor commented 4 years ago

Yes, my client had a previous installation of SugarCRM (Indeed I read "Sugar Version 6.5.25 Build 344" in the actual SuiteCRM installation about page): I'm very glad this stuff does not come from your code, believe me!

francescor commented 4 years ago

Is this about this same issue? https://community.suitecrm.com/t/inside-view-subpanel-how-to-remove/12966

@pgorod many thanks for your feeds: please have a look, since your statement about the server being hacked forced us to open a serious internal incident.

It seems to me that this "advertisement" was part of the previous sugarcrm, which has nothing to do with SuiteCRM (I'm glad!) but unfortunately that king of code got automatically imported in our brand new SuiteCRM installation that we just set up migrating from sugar following SuiteCRM migration instructions.

This is sure something that can help previous (new) users coming here from SugarCRM, and will keep SuiteCRM clean

pgorod commented 4 years ago

Did you check Admin / Module Loader page to see if the module can be uninstalled from there?

You're better off ensuring that no part of that add-on is still operational, I don't know if the Connector is everything, or if there is more.

I agree this information might be useful for the future, though not here, it should be on the Forums, it's better to look for help there before coming here.

francescor commented 4 years ago

Yes, sorry for not telling you: Admin / Module Loader page has nothing on it

francescor commented 4 years ago

Ok, yes, next time I'll start with the forum, thanks

here is where that code should just be:

# grep -rl insideview.com /var/www/SuiteCRM/*
modules/Connectors/connectors/sources/ext/rest/insideview/InsideViewLogicHook.php
modules/Connectors/connectors/sources/ext/rest/insideview/tpls/InsideView.tpl

# ll modules/Connectors/connectors/sources/ext/rest/insideview/
total 40
-rw-r--r-- 1 apache apache 10133 May 31 13:25 InsideViewLogicHook.php
-rw-r--r-- 1 apache apache  2254 May 31 13:25 config.php
drwxr-sr-x 2 apache apache  4096 Feb 27  2013 images
-rw-r--r-- 1 apache apache  4903 May 31 13:25 insideview.php
drwxr-sr-x 2 apache apache  4096 Feb 27  2013 language
-rw-r--r-- 1 apache apache  2262 May 31 13:25 mapping.php
drwxr-sr-x 2 apache apache  4096 Feb 27  2013 tpls

# tree modules/Connectors/connectors/sources/ext/rest/insideview/
modules/Connectors/connectors/sources/ext/rest/insideview/
|-- InsideViewLogicHook.php
|-- config.php
|-- images
|   |-- close.png
|   |-- insideview.png
|   |-- insideview_collapsed.png
|   |-- insideview_expanded.png
|   `-- video.png
|-- insideview.php
|-- language
|   `-- en_us.lang.php
|-- mapping.php
`-- tpls
    `-- InsideView.tpl

3 directories, 11 files
francescor commented 4 years ago

and apparently this is the original writer of that code https://php.wekeepcoding.com/article/12052779/sugarcrm+community+edition+set+connectors+properties+showing+blank+box

chris001 commented 4 years ago

Don't panic. InsideView is a third party add on service for filling in business data on your leads, it was promoted inside the SugarCRM 6.5 Community Edition (the open source version). You can disable it without any worries. https://www.insideview.com/how-we-source-personal-data/

francescor commented 4 years ago

wait a sec: I just downloaded and installed a pristine SuiteCRM 7.11.13, and that connector is there

]# tree /var/www/Vergine-SuiteCRM-7.11.13/modules/Connectors/connectors/sources/ext/rest/insideview/
/var/www/Vergine-SuiteCRM-7.11.13/modules/Connectors/connectors/sources/ext/rest/insideview/
|-- InsideViewLogicHook.php
|-- config.php
|-- images
|   |-- close.png
|   |-- insideview.png
|   |-- insideview_collapsed.png
|   |-- insideview_expanded.png
|   `-- video.png
|-- insideview.php
|-- language
|   `-- en_us.lang.php
|-- mapping.php
`-- tpls
    `-- InsideView.tpl

3 directories, 11 files

and yes, it is just not enable by default

Screenshot from 2020-06-06 17-42-27

Ok, so I just need to disable, which solve my problem, thanks.

BUT, let me say that that connector smells pretty bad: there "Terms of Use" is pretty bad I think, and even in this brand new installation of SuiteCRM the link to their privacy policy is wrong (https://www.insideview.com/cat-privacy.html/ ).

I do not know the SuiteCRM community, yet, and how you developers work, but I wonder if developers are aware of this.

chris001 commented 4 years ago

You could remove it by deleting the connector code and its directories. It comes with the SugarCRM 6.5 CE, so you would have to delete it every time you upgraded the core SugarCRM 6.5 CE software.

Mac-Rae commented 4 years ago

Not sure how much we can do cause it's from before the fork, I'll mark this up as a potential cleanup for now.

@francescor although already said please consult the fourms and raise issues likes these there in the future. At worse if we feel it is a bug we'll direct you to raise and issue here anyways 👍👍

Mac-Rae commented 4 years ago

@francescor could you also please modify the title to better reflect the raised issue. Maybe something along the lines of "SugarCM Core Plugin does not link to privacy policy"

I'll point out we will take a look at editing the code or if deemed able and sensable potential removing this module however there's a lot resting on that for it being part of the legacy system that changing stuff can open doors you don't want to 👍

francescor commented 4 years ago

@chris001 the code is in SuiteCrm, too

https://github.com/salesagility/SuiteCRM/tree/master/modules/Connectors/connectors/sources/ext/rest/insideview

and it is installed by default https://github.com/salesagility/SuiteCRM/blob/master/modules/Connectors/InstallDefaultConnectors.php

then even in the upgrade wizard https://github.com/salesagility/SuiteCRM/blob/master/modules/UpgradeWizard/uw_utils.php

and here, too https://github.com/salesagility/SuiteCRM/blob/master/install/install_utils.php

With that banner (I would have not another way of defining it) a user (any user in the organization) is only one click away from accepting the T&C which are pretty bad in my opinion (you can read it yourself, I can give my personal consideration about it) https://www.insideview.com/terms-use/ and, I have no time to dig it but for sure somebody is more prepared than me on this, it does not even respect the european privacy GDPR.

I am pretty surprised Insideview has such a priviege inside SuiteCRM code development: you may know the reason (which could be more than, legit, of course) and I would like to know it

chris001 commented 4 years ago

InsideView was added to SugarCRM in April 2011, this was several years before data and privacy became huge issues and GDPR was adopted in May 2018. InsideView is a SugarCRM partner, so they agree not to misuse user data. They have a database with detailed data on almost all companies, like Dun & Bradstreet, so if you have the email address for a contact/lead/account stored in your SuiteCRM, and that email domain matches a company in the InsideView database, the software auto fills in the missing data about that person/company in the record for you, it saves a lot of user/employee time on re-typing in so much publicly known company data (address, phone numbers, fax numbers, website, industry code, company size, who the person reports to, etc). That being said, you may very well want to just disable the InsideView connector so that your users won't see the panel with their "terms of use" link, which is currently a broken link anyway, and possibly click on "Agree".

francescor commented 4 years ago

Ok, I've got it now (and yes, I already removed its code in my client's server). Where can I purpose developers the removal of that code? as you said:

francescor commented 4 years ago

(btw @chris001 I see your website has a weird return a weird file in homepage, with somehow encoded mv etc/ /old_etc command inside)

chris001 commented 4 years ago

Where can I purpose developers the removal of that code?

You should ask here in this issue for someone to submit a pull request, to modify the install settings for SuiteCRM included connectors, so that the InsideView connector would be installed as disabled.

I see your website has a weird return a weird file in homepage, with somehow encoded mv etc/ /old_etc command inside

Thank you - link fixed now.

francescor commented 4 years ago

Ok, so I would suggest developers to submit a pull request to remove of the default enabled installation of the Insideview connector cited in code at

thanks

Mac-Rae commented 4 years ago

Already been sorted @francescor when I marked it with a priority, your welcome to make the PR yourself if you know of the required changes and have the time :+1:

francescor commented 3 years ago

I see insideview is still enabled by default in a pristine installation, this is still a security issue to me

Can someone help me to find out what, in the installation setup, set 'enabled' => true in custom_directory/modules/Connectors/metadata/connectors.php

  'ext_rest_insideview' =>
  array (
    'id' => 'ext_rest_insideview',
    'name' => 'InsideView&#169;',
    'enabled' => true,
    'directory' => 'modules/Connectors/connectors/sources/ext/rest/insideview',
    'eapm' => false,
    'modules' =>
    array (
      0 => 'Accounts',
      1 => 'Contacts',
      2 => 'Leads',
      3 => 'Opportunities',
    ),
  ),
francescor commented 3 years ago

thanks to User: pgr, see https://community.suitecrm.com/t/insideview-a-connector-that-to-me-is-a-security-issue/78671/3, I just fired a pull request https://github.com/salesagility/SuiteCRM/pull/9052