suspicious plugin?
 

https://vborg.vbsupport.ru/showthread.php?t=324918

Can someone audit this plugin for potential malicious code?
The nonsensical results of the plugin and the apathy of the author are worrying me a lot.
Here's a mirror : https://www.sendspace.com/file/05icvb

It seems fine to me at first sight, what makes you think it could contain malware?

First the product shows nonsensical results which were reported, but the author didn't react.
Secondly the product definitely uses external content and the author didn't put the proper warning, for example in admincp/slowplugins.php

line 15 : <script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>

I have recently received an email on a mail address I have never use besides receiving notification from my vbulletin, I'm trying to find where is the backdoor and this one product seems to be the most suspicious of all, it has left tons of data in the sql database even after uninstall.

I think the code of this product should definitely be audited.

Jquery isn't malicious code. Virtually every software program uses it. Hell, vBulletin uses it.

Not sure if trolling... jQuery loaded from google’s cdn is maclicious code? I don’t even understand what exactly you claim to be malicious.

Also, why are you posting a mirror of it? It can be downloaded directly from the thread as it was posted.

What if your computer has malware and it infected the files you re-uploaded (without permission either)?

No one else has reported “malicious code” in it..

If you don’t like the product, simply uninstall it.

I think you worry too much. :erm:
There is nothing malicious about jQuery :down:

What do you mean by "apathy of the author" :confused:
There are no rules that say authors have to respond within a certain time (or at all).

If the results are nonsensical to you then just dont use it. Problem solved. :cool:

X-or never said that jquery was malicious, he said the call to jquery is use of external content, which it technically is. However when the flag for "Uses external content" was created (over a decade ago, probably closer to 15 years) it was intended to for mods that used code presumably hosted by the mod creator, not necessarily open, public, and used all over the web.

In the decade and a half since the external code flag was created it has become much more common to link to safe, reliable, libraries hosted by sites like Google.

vBulletin does this too, but as an option. No one has to to make external calls to Google to use vBulletin, but it's smart to do so.

Whether a call to external jquery raises to the level of needing to click the external content flag is a debate for site moderators, I can see good points for both sides.

This was already discussed prior in the thread and Joe even commented back then on it as well, reference: https://vbulletin.org/forum/showpost...&postcount=244

So it's use at your own risk as Joe mentioned, furthermore you can simply edit out the parts of the mod containing that code before you install on your site.

I checked the code and couldn't find the SQL injection backdoor, the email address gathering script is in there though but it doesn't do anything since the site it sends requests to is no longer online.

hmm this is a different mod than the OP linked...fwiw...

Different mod and different mod author.

o.O apparently so ^ there were two reported posts and I clicked on the wrong link! Sometimes oversight is awesome :p.

Email address gathering script? :confused:
Isn't it against the rules? :confused:

--------------- Added [DATE]1518132620[/DATE] at [TIME]1518132620[/TIME] ---------------

@Dave , could you please provide more details about this email gathering script? Sounds like a very malicious thing. :confused:

Nobody wants to audit this product, really?

Again I would like to stress the webmaster email was leaked after installing this product....
And maybe the whole database, who knows...
Also this is a product that outputs utterly nonsensical results which only adds to the suspicion
Is this site dead or something, why nobody looks into it

All of the above? The mod hasn't been updated in over 5 years. It probably doesn't even work on PHP 7. If you are unsure about using it, don't use it. If the results are "nonsensical" than it is no loss.

Is the site dead? Not technically, we're posting here... but it is a fraction of what it used to be and even 5 years ago it was a fraction of what it was 5 years before that. :(

Why does it say "Last Update: 14 Apr 2017" ?
Is this information inaccurate?

Hmmm... somehow I thought this was about this mod: https://vbulletin.org/forum/showthread.php?t=241481

Oh it's because I followed the link in The Last Superman's post (#8) and assumed it was the mod in question, my bad.

I wouldn't use the mod in this post either.

--------------- Added [DATE]1533059424[/DATE] at [TIME]1533059424[/TIME] ---------------

I did a light audit... I looked through the main php file and searched for some common means of collecting/sending data and didn't notice or find anything suspicious.

It's by no means me saying it's safe to use, but there is nothing obvious to me to worry about.

I have no intention of using or installing.

Just gave it a check;
there's a link to a dead site in the xml description of it. (fuelmyforums)
and a small .js from the google cdn, all is fine here. (<script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>)

The fastest way for someone who isn't used to coding imho is to look is to open the files and do a search for "//" without the quotation marks and you'll easily find any links which could be used to send info to a external site.. Or just give a quick look through of all the files like I did.

Those up to no good could purposely hide this kind of code though, so be aware if you don't find any it doesn't mean it's 100% safe.