Loading...
 
Features / Usability

Features / Usability


hacking attempt?

posts: 2695 United States

I just upgraded to 15.0.alpha, so happened to check for plugins needing approval.
(tiki-plugins.php)
I had a few show up I hadn't noticed before. They appear to be hacking attempts.
Here's a sample...
http:// with no spaces or words here jabi.com/Wiki+Linking#html-f70ef0d78ee8e7721c045c755cd827e7-0df3f8fa6a273b5283894cce2d1e8455-620000-200000

I just thought someone who understands the program might need to be aware of this hack attempt. I never received an emails that I'm aware of like normally when a plugin needs approval, so I'll assume it did not work...?

posts: 212

While not being able to see the code in question makes it is impossible to know for certain if the "Plugin execution pending approval" is because of a hacking attempt, there may be an explanation that does not involve hacking.

Not all of the plugins require validation before they will execute. The ones that do, have the plugin's name, meta, body, and args passed through an md5 hash generator, and the result is stored in the tiki_plugin_security table.

Whenever a wiki page with the plugin is displayed, the same plugin's name, meta, body, and args are again passed through an md5 hash generator and the result is compared to the previous md5 hash stored for that plugin. If the md5 hash codes do not match, then the plugin is not expanded and you get the "Plugin execution pending approval" message displayed on that page.

When you edit a page with a plugin, the check with the md5 hash is done when you save the page. If you changed the plugin, then the md5 hash code will not match, and then, if you have "Editing and Plugins", "Plugins" tab, "Plugin pending approval notification" selected, you will get an email that the plugin needs to be approved.

If you did not change the plugin code when you edited the page, the md5 hash will match from the previous save, and the plugin will not need to be approved again and no email is sent.

Just displaying a page that has a plugin that requires approval does not trigger the plugin pending approval notification message, that is done when the page is saved.

You said that you "upgraded to 15.0.alpha". The upgrade process does not require the page to be edited and saved, so the code that does the "Plugin pending approval notification" message does not get processed.

And it is possible that one or more plugins were changed in the upgrade,
and those changes would have caused the new md5 hash not to match the pre upgrade md5 hash for that plugin, so when the upgraded page is displayed, you ended up with the "Plugin execution pending approval" message.

Tom

posts: 2695 United States

I could follow most of that. 8D
It appears someone is typing in the url and adding the pound sign and some code. I copied and pasted one in the original post.
Could doing that trigger the html plugin needs approval?


posts: 212

I thought you were saying that you thought the plugin needing validation implied that there was a hacking attempt in a change to the plugin.

The pound sign in the url indicates an anchor link. The code after it, which is the same code that would normally be stored in the tiki_plugin_security table for that plugin, was put in an HTML DIV as an ID= parameter and it can be used as an anchor link to the place in the page where a plugin which needs validating is.

That #html-f70ef0d78ee8e7721c045c755cd827e7-0df3f8fa6a273b5283894cce2d1e8455-620000-200000 is not a hacking attempt, and it did not cause the need for the validation. Every plugin that needs to be validated will have a similar DIV ID=.

Does that help?

Tom


posts: 2695 United States

Gotcha
That totally clears it up.

Guess I had always just replied to the email when something needed approved and never visited that part of admin. Nice to know it's there...

THANX!!!