Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plugin Mod / Fork, Update and what happened #40

Open
thexmanxyz opened this issue Sep 25, 2017 · 7 comments

Comments

@thexmanxyz
Copy link

commented Sep 25, 2017

Hey there, I know many of you noticed that something strange happened to this plugin. There was over a long period no update and at the beginning of the year a new version was released and shared only over the website by a potential new owner. The old version which is available over this repo is still v3.3 and the version provided over the new "official" website (at least the domain changed) http://www.mapsplugin.com is v3.5. I did a rough diff over the files and there were a lot of changes between these two versions. But most of them look ok. However the changes were never updated here in the git repo (even after 8 months). That's mysterious. There is a popular fix for PHP 7 which also was not integrated even since it is known for at least a year #28

Moreover @jaccsnl noticed strange lines in the code, possibly found during a Sucuri.net scan - see also #39. So I tried to find the problematic lines described by @jaccsnl by myself because he did not provide further infos. As already discussed in #39 the related code that I found seems to be a bit strange and very questionable. Moreover I noticed a bug in 'plugin_googlemap3.css.php' and a deprecated Google Maps JS Api query parameter "signed_in=0|1", which is still sent during requests. So I decided to fix these issues, remove the mysterious lines of code described in #39 and create a new version. For further information please review #39 I will not describe everything I discovered again.

So the new version is 3.5.1 3.5.2 and contains:

  • fixes #28 / #30 / #36 for PHP7
  • fixes #25 / #29 / #38 (force SSL - readonly already fixed in v3.5)
  • fixes Maps JS API query parameter ("signed_in")
  • fixes a bug introduced with one of the last joomla versions (factory.php lib moved to database subfolder), i corrected the path in 'plugin_googlemap3.css.php'
  • the mysterious lines in 'plugin_googlemap3.php' were removed because they can be easily used to reload malicious code and i personally do not trust them (#39)
  • removed MOSX platform files

Please give me some time to prepare the new version. I will come back here to further discuss these issues and provide you further information. For more infos see the next post.

@thexmanxyz thexmanxyz referenced this issue Sep 25, 2017
@thexmanxyz

This comment has been minimized.

Copy link
Author

commented Sep 25, 2017

So finally the updated version v3.5.2 of the plugin with the above described fixes is here. I know that this is far from the best way to provide an update but currently I do not know a better or faster way to offer a distribution of the updated version of the plugin. I strongly recommend everyone who still uses this plugin to download this version and install it. However please consider the problematic situation around this plugin, I'm not responsible for anything...it's just a fix to circumvent the possibility to inject code over this potential "backdoor" as long as the owner does not communicate what these lines actually do and for what they are used. I personally doubt that these lines make any sense other than pushing some stuff on the webserver of a person using this plugin. Why load a credit from the server and not hard code it? It's stupid because if a person understands PHP code it doesn't makes it more difficult to remove the credit. That's the only comprehensible thing I can think about and this doesn't makes any sense either.

Everything is just an assumption by me, but as long as there is no official communciation or statement by the owner (other than the updates without any changelogs) on the "official" site, it's better to take care. Moreover I have to invest a bit more time to get an overview between the v3.3, v3,4 and v3.5 and the fake version(s) of the plugin because something is messed up in the whole version management and the overtaking of the plugin... I now fully reviewed the file and code changes from v3.3 - v3.5 and except the lines described in #39 there is nothing suspicious in the code as far as i can tell but I invite everyone to also do a review of the code. Especially the plugin and kml JS code obfuscated by minification...

Feel free to verify my archive and the code I uploaded. But there are no differences except the fixes described above. Moreover I hope that someone joins the discussion. I'm looking forward for some community input. The base for v3.5.2 was the version v3.5 taken from http://www.mapsplugin.com/update/. For the moment this version should work. In the near future I will create a fork of this repo because the current situation is far from acceptable. I don't have deep knowledge of the Maps API so I hope on participation :D.

plugin_googlemaps-J25_J3x.v3.5.2.zip

@thexmanxyz thexmanxyz changed the title Plugin, Update and what recently happended Plugin, Hack, Update and what happended Sep 25, 2017

@thexmanxyz thexmanxyz changed the title Plugin, Hack, Update and what happended Plugin, "Hack", Update and what happended Sep 25, 2017

@thexmanxyz thexmanxyz changed the title Plugin, "Hack", Update and what happended Plugin, "Hack", Update and what happened Sep 25, 2017

@thexmanxyz thexmanxyz changed the title Plugin, "Hack", Update and what happened Plugin Mod / Fork, Update and what happened Nov 6, 2017

@ballaballa123

This comment has been minimized.

Copy link

commented Apr 26, 2018

Thanks a lot.

@thexmanxyz

This comment has been minimized.

Copy link
Author

commented Apr 26, 2018

@ypr52

This comment has been minimized.

Copy link

commented May 1, 2018

I have been using 3.5.2 for a while and find no problems. Thank you for all your hard work.

@thexmanxyz

This comment has been minimized.

Copy link
Author

commented May 1, 2018

@ypr52 glad to hear, np :)

@ypr52

This comment has been minimized.

Copy link

commented Jun 5, 2018

I have a question. The 3.5.2 plugin works fine on a live site but when using it on a test site (using XAMPP v3.2.2) it does not always load (I sometimes get a location in Holland). Do you know the reason for this?

@thexmanxyz

This comment has been minimized.

Copy link
Author

commented Jun 6, 2018

@ypr52 TBH I can't really say what's the actual issue, never noticed it on one of my test sites. Open please a new issue maybe someone else has a solution. It would be better recognizable by other people within an separate issue. If there is a solution I will integrate it and create a new release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.