Hi! I found a strange code In some commits of PurePerms plugin in ppinfo command handler. The code was obfuscated but could be easely decoded. I'm not really sure if it possible to be used as a backdoor but the obfuscation, the attempt to hide the code leads me to such thoughts. It surely could be some code for debugs by developers but in this case why obfuscate? The code creates file, runs it and immediately deletes it.You have to know some password to use this "hidden code" The code looks innocent. Who broadcasts to the server message with "PP64 : DebugMsg" prefix, but then it runs PHP: extract(get_defined_vars()) that is very suspicious to me. In any case If you are using this plugin just make sure that there is no "hex2bin" or "base64_decode" strings inside
The current maintainer of the plugin seems to be doing some veeeerryy weird stuff in the plugin. Note that hex2bin and base64_decode aren't evil functions. They are very useful, but I don't know why he put his 'developer mode' on the master branch. Edit: He doesn't even seem to understand it himself... : https://github.com/PurePlugins/PurePerms/commit/36afd923aacdda6977cccd2dccaa8683c5041110
Currently, the only base64_decode() call is the Logger::notice() in startup, which decodes into: Code: PurePerms by 64FF00 & ProjectInfinity! #LEET.CC 888 888 .d8888b. d8888 8888888888 8888888888 .d8888b. .d8888b. 888 888 d88P Y88b d8P888 888 888 d88P Y88b d88P Y88b 888888888888 888 d8P 888 888 888 888 888 888 888 888 888 888d888b. d8P 888 8888888 8888888 888 888 888 888 888 888 888P "Y88b d88 888 888 888 888 888 888 888 888888888888 888 888 8888888888 888 888 888 888 888 888 888 888 Y88b d88P 888 888 888 Y88b d88P Y88b d88P 888 888 "Y8888P" 888 888 888 "Y8888P" "Y8888P" It is sensible to encode this to prevent writing multi line strings (even though PHP allows it). As for get_defined_vars() and hex2bin(), I can't search them from the current code.
I think this was meant: https://github.com/PurePlugins/PurePerms/commit/4a4c6c9459a4d6f821a91d517f6f5a2c0ba4afb8
True. It could be found in github history and that code came to my archive possibly from old pm forum. Anyway honest developer should never write code like PHP: $tmp = hex2bin('6261736536345f6465636f6465'); - $fn = "\x54\x45\x4D\x50\x5F\x30\x31";$ul = $tmp("dW5saW5r");$fo = chr(102) . chr(111) . chr(112) . chr(101) . chr(110);$fw = $tmp("ZndyaXRl");$fc = "\x66\x63\x6C\x6F\x73\x65";$et = $tmp("ZXh0cmFjdA==");
Nope I'm talking about https://github.com/PurePlugins/Pure...4b9c679#diff-7b37a515594ec8cf59a3b6ae9a33248c You should check twice plugins with such code style before using them on your servers
Plugins submitted on Poggit should have been checked against such potential backdoors or obfuscated code before being marked as "Checked" or above.
eval() is a function that must be checked by poggit. Other than that, base64_*() and hexbin() (or binhex()) are useful functions and do not *en/decrypt* but encode and decode. Currently, there's no way to hide your source code in PHP (you can try making one though).
Not sure if @Awzaw checked; the PurePerms on Poggit, iirc, is the fork on Poggit Orphanage and is not related to the current updates. Ask @Awzaw for more clarification. Poggit explicitly disallows executing arbitrary code to prevent exploits; hence auto updater is disallowed unless it only downloads approved artifacts from Poggit.
On Poggit we check every line of code before marking it as 'checked'. The original obfuscated code in PPListener wasn't doing anything nasty, in fact it did nothing at all except provide an empty function that could be used as a 'Dev' mode for debugging on a live production server, I imagine; I removed it from poggit-orphanage's fork over a month ago because it was redundant, not malicious, and because people were wondering if it was safe or not... Not sure where you got a version with that PPInfo. I have no idea who is maintaining PurePerms now, but as far as I can see there haven't been any important commits since we forked it. For information, the latest poggit-orphanage pureperms build on Poggit (not the latest release) is updated for API 3.0.0-ALPHA7.
*like* For some strange reason, they removed the ability to like posts in off-topic. I wish they didn't though...