Tracking calls in nusoap
judgej opened this issue · 5 comments
I have been finding a number of places where details of the site are being tracked. If this tracking was open and clear, I would be ignoring it, but it is obfuscated, so in looks it is up to no good and should be removed.
Here is one in includes/nusoap/nusoap.php around line 9315:
if($operation== "\x73\x75\x67\x61\x72\x48\x6f\x6d\x65" && substr_count($this->endpoint, "\x3a\x2f\x2f\x75\x70\x64\x61\x74\x65\x73\x2e\x73\x75\x67\x61\x72\x63\x72\x6d\x2e\x63\x6f\x6d\x2f\x68\x65\x61\x72\x74\x62\x65\x61\x74\x2f\x73\x6f\x61\x70\x2e\x70\x68\x70") == 0 ){
$c2 = new nusoapclient("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x75\x70\x64\x61\x74\x65\x73\x2e\x73\x75\x67\x61\x72\x63\x72\x6d\x2e\x63\x6f\x6d\x2f\x68\x65\x61\x72\x74\x62\x65\x61\x74\x2f\x73\x6f\x61\x70\x2e\x70\x68\x70", false, false, false, false, false, 15, 15);
$ping = $c2->call("\x73\x75\x67\x61\x72\x50\x69\x6e\x67", array());
if(empty($ping) || $c2->getError()){
$c2 = new nusoapclient("\x68\x74\x74\x70\x3a\x2f\x2f\x75\x70\x64\x61\x74\x65\x73\x2e\x73\x75\x67\x61\x72\x63\x72\x6d\x2e\x63\x6f\x6d\x2f\x68\x65\x61\x72\x74\x62\x65\x61\x74\x2f\x73\x6f\x61\x70\x2e\x70\x68\x70", false, false, false, false, false, 15, 15);
$c2->call("\x73\x75\x67\x61\x72\x48\x6f\x6d\x65", $params);
}
}
The hex codes translate to:
sugarHome
://updates.sugarcrm.com/heartbeat/soap.php
https://updates.sugarcrm.com/heartbeat/soap.php
sugarPing
http://updates.sugarcrm.com/heartbeat/soap.php
sugarHome
I can do a pull request, but raising it for confirmation first.
Yes I agree, this can def be removed, thanks for finding and highlighting this
Did you mean to close this? I press the wrong button here all the time ;-)
sorry no!
This is from a while back. Did this get fixed, or is it still waiting for a pull-request? I can pull my finger out and do that if required.
We have not yet addressed this issue, if you would like to contribute a fix that would be welcome, but it is something we will get around to addressing