serious security bug

  • Resolved RMJ

    (@rmj)


    13 years, 5 months ago

    I was today fooling around on my site, updated this plugin (I had and old 1.x modified version on my site because the old one didn’t work as I liked on few pages when I first installed it). Later when I already thought everything was running just fine, I posted a link of one page on Facebook and got surprised the misformed preview the Facebook gave for my post (image missing and description had parts of image link). First I

    Quick look into source code of the page showed the pretty serious bug. This is exactly what the Nextgen FB plugin had written to source:
    <meta property="og:image" content="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" />

    I use Exec-PGP plugin which allows adding PHP code into the content of the page. Nextgen FB plugin seems to copy the content as is without any check of possible code in it.

    What I had written on my page in wordpress:
    <div class="image"><div class="date">2012-12-29</div><div><img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" alt="" /></div></div>

    In my case, I was lucky it’s quite harmless what happened to be on that one page within img tag. But I can imagine the harm done if some runs more complex scripts there, maybe even DB queries with passwords hard coded there!

    Note that the Exec-PHP was operating normally when viewing the page, so wordpress itself did parse the content normally before showing it.

    http://ww.wp.xz.cn/extend/plugins/nextgen-facebook/

Viewing 3 replies - 31 through 33 (of 33 total)
1 2 3
  • Thread Starter RMJ

    (@rmj)

    13 years, 4 months ago

    Nevermind, I had commented out wp_footer() in my footer.php

    Now it works fine. it’s up on the main site.

    Plugin Author JS Morisset

    (@jsmoriss)

    13 years, 4 months ago

    Ah, yes, the javascript is part of a filter on wp_footer(). 😉

    I have to leave the “twitter-share-button” class on the anchor since the twitter javascript uses it. I moved the “twitter-button” class up into a div though. Let me know how things work out for you.

    I just released the stable 2.3 tag, so you should see 2.3 appearing as an update on your plugin page shortly.

    Thanks,

    js.

    Thread Starter RMJ

    (@rmj)

    13 years, 4 months ago

    Yeah, that should be more than enough. Just having them in the same kind of base tag is simplifying things a lot.

    When I first time styled them I assumed them all being inside DIV and well, things didn’t go well when I did something like:

    .ngfb-buttons > DIV { display: inline-block; }

    It didn’t work (because it didn’t affect the twitter button) but then I got anyways the idea to float them on the left side (instead of having them on one line on top of the post). BTW, I just now noticed why it didn’t work in the first place, I didn’t even start to dig the reason back then (I always assumed the twitter button was also inside div element just like the others). Surely it wouldn’t be big thing to style it without the div but well, it simplifies things. 🙂

Viewing 3 replies - 31 through 33 (of 33 total)
1 2 3

The topic ‘serious security bug’ is closed to new replies.