Forum OpenACS Q&A: Re: Virus found JS/Obfuscated

Collapse
Posted by sal berg on
Ah, are you associated with that site? I meant no disrespect, I simply meant to say that, judging from the activity level there (last posts were December-ish?), I didn't expect to hear back from any post there anytime soon.

So what do we do now? Hope that someone else sees this and responds? I don't want to install the software unless it is confirmed or not that OpenACS has a virus.

At any rate, thanks a lot for your help.

Collapse
Posted by Maurizio Martignano on
Ehm....

I'll be more explicit.

I believe you found a false positive.

tag-lib.js uses javascript encryption to make the size smaller; this is called "compression". Even though some trojans use this technique, it does not inherently mean a security issue. In this case, the tag-lib.js file does not contain any trojan and is meant to be that way.

If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").

Collapse
Posted by sal berg on
Thanks! I'll go ahead and install. My lawyers will be in touch in case anything bad happens.

That last sentence was a joke, heh 😊

Collapse
Posted by Maurizio Martignano on
It is your own call and your call only.
It is your own resposibility and your responsibility only.
I'd like to stress what I wrote:
1. I believe... (and not I know for sure)
2. If you still feel uncomfortable, you can of course delete that file - it is only required for a specific feature of the Xinha WYSIWYG editing component ("QuickTags").
So again, it is your own call.
Collapse
Posted by Gustaf Neumann on
Well, at least in the HEAD branch tag-lib,js is not compressed. The file looks pretty harmless to me:
http://fisheye.openacs.org/browse/OpenACS/openacs-4/packages/acs-templating/www/resources/xinha-nightly/plugins/QuickTag/tag-lib.js?hb=true
Collapse
Posted by Maurizio Martignano on
Hello Gustav,
why is it compressed in the tar distribution and not in the HEAD branch?
If compression is important (for performance reasons) it should be present in both; if it is not it should be removed in both.

Cheers,
Maurizio