Posted 2 years ago #
I have found suspicious looking code on line 351 inside the wordtwit/include/oauth-twitter.php as follows:
eval( base64_decode( 'ZGVmaW5lKCAnV09SRFRXSVRfT0FVVEhfQ09OU1VNRVJfU0VDUkVUJywgJ0cxWkVTQjVXUGpDVDE4dVhDeldxNVZxbHBtdDdKanNVYVN0ZG5Gd3dhdycgKTs=' ) );
To me, this looks suspicious. Please confirm that this is part of your original coding and why you chose to make it this way.
Note: This is from a fresh download as of today from wordpress.org plugin page.
Posted 2 years ago #
Yes, it's by design. It represents the OAuth token secret. Ideally it's kept secret, but since that's not possible in a PHP plugin the best we can do is obfuscate it, which is what's done there.
Posted 2 years ago #
You should be aware that the obfuscation not only doesn't solve the problem of it being a secret, but the way it is written causes problems in some setups. Break it into two lines... the base64_decode() returned to a string. The string then eval()'d.
This works in our environment where the current way does not. I know it's weird. But trust me...
This topic has been closed to new replies.
