WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] Worm in WP Responder Email Newsletter and Autoresponder Plugin??? (7 posts)

  1. mindphuk
    Member
    Posted 3 years ago #

    Avira Antivir allerts an infection with JS/Zhelatin ZB worm in viewbroadcast.php

    In that file I find a <script>-tag:

    <script>
    
    function base64Decode(data){data=data.replace(/[^a-z0-9\+\/=]/ig,'');if(typeof(atob)=='function')return atob(data);var b64_map='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var byte1,byte2,byte3;var ch1,ch2,ch3,ch4;var result=new Array();var j=0;while((data.length%4)!=0){data+='=';}
    for(var i=0;i<data.length;i+=4){ch1=b64_map.indexOf(data.charAt(i));ch2=b64_map.indexOf(data.charAt(i+1));ch3=b64_map.indexOf(data.charAt(i+2));ch4=b64_map.indexOf(data.charAt(i+3));byte1=(ch1<<2)|(ch2>>4);byte2=((ch2&15)<<4)|(ch3>>2);byte3=((ch3&3)<<6)|ch4;result[j++]=String.fromCharCode(byte1);if(ch3!=64)result[j++]=String.fromCharCode(byte2);if(ch4!=64)result[j++]=String.fromCharCode(byte3);}
    return result.join('');}
    	  var theFrame = document.getElementById('htmlbodyframe');
    	  var thecontent = '<?php echo base64_encode($output['HTML Body']) ?>';
    	  theFrame.contentDocument.write(base64Decode(thecontent));
    	  </script></td>

    Whats up there? This is the only plugin I downloaded today with such an infection.

    Edit: plugin page: http://wordpress.org/extend/plugins/wp-responder-email-autoresponder-and-newsletter-plugin/

  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. rajasekharan
    Member
    Posted 3 years ago #

    Hi,

    It is not an virus or an infection. It is a false alarm. The base64decode function you see in the script tag is harmless. It is used to decode a base64 string.

    It is used to decode the HTML source code of the HTML body of the email and show it in the administration panel.

    var thecontent = '<?php echo base64_encode($output['HTML Body']) ?>';

    In this line the HTML body of the sent broadcast is base64 encoded and placed in the javascript variable 'thecontent' by PHP. When this (view braodcast) interface is loaded this content is base64 decoded by javascript using this function Then it is inserted into the body of an iframe to show you the content of the HTML body of the sent broadcast.

    That is all. I have heard of other antiviruses that are giving a false alarm on that file so I am working on an alternative implementation of the same which you will get in the next version.

    I assure you there is no virus or mallicious code in the plugin.

    Warm Regards,
    Raj

  4. CircleReader
    Member
    Posted 3 years ago #

    I also am getting virus warnings from this plugin. This morning my hosting company quarantined one of the files (forms.php) because it looked like an exploit, and I am also getting warnings from my own scans on the use of eval() in actions.php.

    Obviously, I can't have files disappearing into quarantine without warning, so this makes the plugin unusable for me. That's a shame, since it looks like a very useful plugin. Any word on a fix?

  5. inpixelitrust
    Member
    Posted 3 years ago #

    Same here, when I download the file, I got an alert from avira antivir, when I try to install plugin the same problem, when I move the file, all the same. This makes the plugin unusable for the moment. So shade, it seamed great.

  6. Naoise Golden Santos
    Member
    Posted 3 years ago #

    same here, my hosting company deleted the forms.php file

  7. TourAbsurd
    Member
    Posted 3 years ago #

    Same. Not going to install this.

Topic Closed

This topic has been closed to new replies.

About this Topic