Loading...
 
Features / Usability

Features / Usability


Re: hacking attempt?

posts: 214

While not being able to see the code in question makes it is impossible to know for certain if the "Plugin execution pending approval" is because of a hacking attempt, there may be an explanation that does not involve hacking.

Not all of the plugins require validation before they will execute. The ones that do, have the plugin's name, meta, body, and args passed through an md5 hash generator, and the result is stored in the tiki_plugin_security table.

Whenever a wiki page with the plugin is displayed, the same plugin's name, meta, body, and args are again passed through an md5 hash generator and the result is compared to the previous md5 hash stored for that plugin. If the md5 hash codes do not match, then the plugin is not expanded and you get the "Plugin execution pending approval" message displayed on that page.

When you edit a page with a plugin, the check with the md5 hash is done when you save the page. If you changed the plugin, then the md5 hash code will not match, and then, if you have "Editing and Plugins", "Plugins" tab, "Plugin pending approval notification" selected, you will get an email that the plugin needs to be approved.

If you did not change the plugin code when you edited the page, the md5 hash will match from the previous save, and the plugin will not need to be approved again and no email is sent.

Just displaying a page that has a plugin that requires approval does not trigger the plugin pending approval notification message, that is done when the page is saved.

You said that you "upgraded to 15.0.alpha". The upgrade process does not require the page to be edited and saved, so the code that does the "Plugin pending approval notification" message does not get processed.

And it is possible that one or more plugins were changed in the upgrade,
and those changes would have caused the new md5 hash not to match the pre upgrade md5 hash for that plugin, so when the upgraded page is displayed, you ended up with the "Plugin execution pending approval" message.

Tom

There are no comments at this time.

Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting