callhomes in products

vbcorolla · 05-15-2006, 12:02 PM

the org just found that some authors are putting auto-install clickers in their products. I happen to know which mods these are in, but I'm wondering what your opinion on the topic is.

Clicking install may be harmless, but if that code runs.. so could something that sends your database details out over the net to xxx server :ninja:

Arnoud · 05-15-2006, 01:49 PM

You mean in the install script? That trick has been around for ages, I remember using it aswell (not anymore though :p).

Sending data out isn't that simple though, the install script is simply redirecting the browser to the install link. Sending the database details would be a whole different thing ;).

vbcorolla · 05-15-2006, 01:53 PM

yeah, but the code isn't so different. just add a $variable to the get request and change the domain name and it becomes rather dangerous.

glad I read the source on stuff (:o)

Arnoud · 05-15-2006, 02:14 PM

Well, it's still not that easy. I'm pretty sure the DB password is either encrypted or unset when starting a script.

vbcorolla · 05-15-2006, 02:23 PM

hehe, maybe I'll need to try a proof of concept on my test board and see what happens

probably do that later today

Arnoud · 05-15-2006, 02:25 PM

Alright, let me know.

Also, what good is the DB info? You're running their file, if it send the DB info it might aswell make the changes when its ran.

ShavedApe · 05-15-2006, 07:53 PM

I dont see it as a problem but do wonder about the security side of things.

Paul M · 05-15-2006, 09:09 PM

Quote:

Originally Posted by vbcorolla

the org just found that some authors are putting auto-install clickers in their products. I happen to know which mods these are in, but I'm wondering what your opinion on the topic is.

I know which mods they are in as well - since I wrote the code they are referring to.

BTW - they aren't actually calling 'home' either, as vb.org is not my home forum.

The whole thing is just unbelievable - I can only guess at the reasons for the massive fuss - calling the link as that code did is utterly harmless - a massive overhype over nothing. They seem bent on self destruction atm - and are doing a fine job about it.

vbcorolla · 05-16-2006, 12:24 AM

Quote:

Originally Posted by Deaths

Alright, let me know.

Also, what good is the DB info? You're running their file, if it send the DB info it might aswell make the changes when its ran.

well, after about 15 minutes of playing around with code I managed to do the following on my test site with an exploit in the .xml

steal database, get config.php contents, delete database, etc.

doesn't seem to be any limit, the product import is not run in any sort of secure environment

Code Monkey · 05-16-2006, 02:27 AM

Is all that mountains from molehills crap going to infect this place as well? vBORG staff is again, OTT.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)