« previous next »
Pages: [1]   Go Down

Author Topic: Code errors could also mean vulnerability?  (Read 1177 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34067
  • malware fighter
Code errors could also mean vulnerability?
« on: April 27, 2016, 01:08:50 AM »
What about this code hick-up (is there vulnerability?):jQuery to be retired. What about this code?
Code: [Select]
// $Id: poormanscron.js,v 1.1.2.3 2010/01/17 00:27:52 davereid Exp $
(function ($) {

/**
 * Checks to see if the cron should be automatically run.
 */
Drupal.behaviors.cronCheck = function(context) {
  if (Drupal.settings.cron.runNext || false) {
    $('body:not(.cron-check-processed)', context).addClass('cron-check-processed').each(function() {
      // Only execute the cron check if its the right time.
      if (Math.round(new Date().getTime() / 1000.0) >= Drupal.settings.cron.runNext) {
        $.get(Drupal.settings.cron.basePath + '/run-cron-check');
      }
    });
  }
};

})(jQuery);
See analysis:
Quote
[decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable Drupal
     error: undefined variable Drupal.behaviors
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var Drupal.behaviors = 1;
          error: line:1: ....^
Where we met this? http://nieuws.kuleuven.be/node/10871
Detected libraries:
jquery - 1.3.2 : (active1) http://nieuws.kuleuven.be/sites/all/modules/jquery_update/replace/jquery.js?9
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

Suspicious copde, exceeding runtime =  nieuws.kuleuven.be/sites/all/modules/update/replace/jquery.js?9

Excessive server info proliferation: address>Apache/2.2.15 (CentOS) Server at nieuws.kuleuven.be Port 80

Various undefined variables detected in the script code. undefined variable Drupal
     error: undefined variable Drupal.behaviors
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var Drupal.behaviors = 1;
          error: line:1: ....^
Thanks to Steven Winderlich for reporting to me,

pol
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »