This is malware!!!!!!!!!!!!!!!

(@lagdonkey)

To all considering this plugin, be warned it is malware!

Dear plugin dev, please explain to me why this code is present in your plugin, and how you can possibly justify a legitimate use case for this code?

[ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. ]

public function installBridge($token){
    if($this->isBridgeExist()){
      return true;
    }
    $zippedBridge = file_get_contents(self::API_PATH_FOR_BRIDGE.'token/'.$token);
    file_put_contents($this->root.'/bridge.zip', $zippedBridge);
    $zip = new ZipArchive();
    if ($zip->open($this->root.'/bridge.zip')){
      $zip->extractTo($this->root.'/');
      $zip->close();
      unlink($this->root.'/bridge.zip');
      return true;
    } else {
      return false;
    }
  }

https://wordpress.org/plugins/cart2cart-wp-e-commerce-to-woocommerce-migration/

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author Cart2Cart
(@cart2cart)

7 years, 8 months ago

Hello lagdonkey,

This code helps to download a Connection bridge. Connection Bridge files are used to retrieve products/customers/orders from your Source store (in our case WP e-Commerce) and Target store (WooCommerce) and provide data interaction between them. These special access gateways are secured by unique tokens for reliable information processing.

Connection Bridge exists for one purpose only – making the data exchange possible. By installing it you allow our service to copy, and by no means modify, the data you’d like to move to WooCommerce.

With each Connection Bridge, we provide a unique Security Token. Such measure will let no user, except you, access your database. The Bridge is an open coded script. You can easily analyze its actions while checking the logs. So you’ll be sure that our service retrieves only the information necessary for migration.
Once the migration is done we always highly recommend deleting Connection Bridge.

For more information on our security policy please visit this page – https://www.shopping-cart-migration.com/security-policy

Sorry if this situation led to a misunderstanding.

Best regards,
Cart2Cart Team

Thread Starter lagdonkey
(@lagdonkey)

7 years, 8 months ago

I love the totally generic form response, so convincing.

Please, explain to me how deploying PHP code on to someones server that parses un-validated/un-sanitized form data is even remotely secure?

Please, tell me how putting code that phones back home to YOUR server, downloads a package that your server tells it to, unpacks and deploys on to someone else’s server is event remotely safe?

Please, elaborate on what sort of security measures, beyond a simple “token”, are taken to ensure your code cant be compromised?

This is absolutely reprehensible behavior!

Plugin Author Cart2Cart
(@cart2cart)

7 years, 8 months ago

Lagdonkey, database can be harmed only after matching your personal 32 digit security token assigned to your account during the registration. In any other case, such possibility is excluded.

If you have any recommendations, please share. We would be glad to implement them.

P.S. We can send you a Connection Bridge files so that you can take a closer look and ensure our service retrieves only the information necessary for migration.

Best regards.
Cart2Cart Team

Plugin Author Cart2Cart
(@cart2cart)

7 years, 8 months ago

Hi again,

We’ve taken into account your suggestions and reuploaded all our migration modules with the Connection Bridge files zipped into modules themselves. As the result, Cart2Cart migration modules do not phone back home to download the bridge anymore.

We hope it will help us avoid similar misunderstandings in the future. Thank you for contributing into improvement of Cart2Cart!

Kind Regards,
Cart2Cart Team

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘This is malware!!!!!!!!!!!!!!!’ is closed to new replies.