Worm in WP Responder Email Newsletter and Autoresponder Plugin???

  • Resolved mindphuk

    (@mindphuk)


    13 years, 6 months ago

    Avira Antivir allerts an infection with JS/Zhelatin ZB worm in viewbroadcast.php

    In that file I find a <script>-tag:

    <script>

function base64Decode(data){data=data.replace(/[^a-z0-9\+\/=]/ig,'');if(typeof(atob)=='function')return atob(data);var b64_map='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var byte1,byte2,byte3;var ch1,ch2,ch3,ch4;var result=new Array();var j=0;while((data.length%4)!=0){data+='=';}
for(var i=0;i<data.length;i+=4){ch1=b64_map.indexOf(data.charAt(i));ch2=b64_map.indexOf(data.charAt(i+1));ch3=b64_map.indexOf(data.charAt(i+2));ch4=b64_map.indexOf(data.charAt(i+3));byte1=(ch1<<2)|(ch2>>4);byte2=((ch2&15)<<4)|(ch3>>2);byte3=((ch3&3)<<6)|ch4;result[j++]=String.fromCharCode(byte1);if(ch3!=64)result[j++]=String.fromCharCode(byte2);if(ch4!=64)result[j++]=String.fromCharCode(byte3);}
return result.join('');}
	  var theFrame = document.getElementById('htmlbodyframe');
	  var thecontent = '<?php echo base64_encode($output['HTML Body']) ?>';
	  theFrame.contentDocument.write(base64Decode(thecontent));
	  </script></td>

    Whats up there? This is the only plugin I downloaded today with such an infection.

    Edit: plugin page: http://wordpress.org/extend/plugins/wp-responder-email-autoresponder-and-newsletter-plugin/

Viewing 6 replies - 1 through 6 (of 6 total)
  • esmi

    (@esmi)

    13 years, 6 months ago

    Contact plugins@wordpress.org.

    rajasekharan

    (@rajasekharan)

    13 years, 6 months ago

    Hi,

    It is not an virus or an infection. It is a false alarm. The base64decode function you see in the script tag is harmless. It is used to decode a base64 string.

    It is used to decode the HTML source code of the HTML body of the email and show it in the administration panel.

    var thecontent = '<?php echo base64_encode($output['HTML Body']) ?>';

    In this line the HTML body of the sent broadcast is base64 encoded and placed in the javascript variable ‘thecontent’ by PHP. When this (view braodcast) interface is loaded this content is base64 decoded by javascript using this function Then it is inserted into the body of an iframe to show you the content of the HTML body of the sent broadcast.

    That is all. I have heard of other antiviruses that are giving a false alarm on that file so I am working on an alternative implementation of the same which you will get in the next version.

    I assure you there is no virus or mallicious code in the plugin.

    Warm Regards,
    Raj

    CircleReader

    (@circlereader)

    13 years, 4 months ago

    I also am getting virus warnings from this plugin. This morning my hosting company quarantined one of the files (forms.php) because it looked like an exploit, and I am also getting warnings from my own scans on the use of eval() in actions.php.

    Obviously, I can’t have files disappearing into quarantine without warning, so this makes the plugin unusable for me. That’s a shame, since it looks like a very useful plugin. Any word on a fix?

    Stef

    (@inpixelitrust)

    13 years, 4 months ago

    Same here, when I download the file, I got an alert from avira antivir, when I try to install plugin the same problem, when I move the file, all the same. This makes the plugin unusable for the moment. So shade, it seamed great.

    Naoise Golden Santos

    (@ngolden)

    13 years, 4 months ago

    same here, my hosting company deleted the forms.php file

    TourAbsurd

    (@tourabsurd)

    13 years, 3 months ago

    Same. Not going to install this.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Worm in WP Responder Email Newsletter and Autoresponder Plugin???’ is closed to new replies.