News:

Looking for documentation? Take a look on our wiki

Main Menu

Suspicious JS inclusion

Started by zaza1964, December 03, 2012, 19:03:51 PM

Previous topic - Next topic

zaza1964

Scanning my site with RSFirewall, I got the following message:

Scanning your files for common malware
We've found a total of 1 malware scripts inside your files. Please review
them manually as the scan might have detected false alerts.

plugins/vmpayment/klarna/klarna/tmpl/payment_form.php

Suspicious JS inclusion

cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js"
type="text/javascript

In the include, there's apparently Cross Site Scripting (XSS) to:
http://cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js

Anyone could tell me what this is?

Thanks!

Joomla 2.5.8 & VirtueMart 2.0.14

jenkinhill

Automated scans are all too often unreliable. You need to provide the precise report and identify the lines of code trigerring this alert.

This is the only report I have seen of this.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

zaza1964

Off on holidays for 10 days, will do when I get back.

Milbo

Quote from: zaza1964 on December 03, 2012, 19:03:51 PM
Please review
them manually as the scan might have detected false alerts.
As they say themself it might be a false alert.

Quote from: zaza1964 on December 03, 2012, 19:03:51 PM
plugins/vmpayment/klarna/klarna/tmpl/payment_form.php

Suspicious JS inclusion

cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js"
type="text/javascript

In the include, there's apparently Cross Site Scripting (XSS) to:
http://cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js

As far as I understand this is just a dynamic include of the klarna tos. It is directly loaded from their server. Suspicious usually, yes. Other "suspicious" things we do are just whitelisted like loading jquery from google. So as far I can see, everything is fine.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Dan1980

I received this also with a scan tonight.

I have a fresh install of a site (in Beta, no-index/no-follow, not advertised anywhere, receives no traffic ... only my team and the odd script-kid from China scanning IP ranges randomly).

QuoteScanning your files for common malware
We've found a total of 2 malware scripts inside your files. Please review them manually as the scan might have detected false alerts.

administrator/components/com_virtuemart_allinone/plugins/vmcalculation/avalara/classes/AvaCertSvc.class.php
Possible PHP injection (mailer)
mail("info@

plugins/vmpayment/klarna/klarna/tmpl/payment_form.php
Suspicious JS inclusion
cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js" type="text/javascript

I would imagine that this must be a false alert. And decided to add this here in case it helps anyone - or if you can shed further light on this since responding to zaza1964.

Many Thanks!

Joomla!   2.5.8 Stable [ Ember ]
Virtuemart   2.0.14
RSFirewall!   46

plus (just in case)
WHM   11.34.0 (build 11)
MySQL version    5.1.65-cll
PHP version    5.3.18

Dan1980

Can anyone else confirm that this is a false alarm?

No one?

mzone85

#6
I have the same problem with RSfirewall

plugins/vmcalculation/avalara/classes/AvaCertSvc.class.php   Possible PHP injection (mailer)   mail("info@
plugins/vmpayment/klarna/klarna/tmpl/payment_form.php   Suspicious JS inclusion   cdn.klarna.com/public/kitt/toc/v1.0/js/klarna.terms.min.js" type="text/javascript

Should i ignore this?

joomla 2.5.9
virtuemart 2.0.20a