WordPress.org

Ready to get started?Download WordPress

Forums

NextGEN Facebook: Advanced Optimization for All Social Websites
[resolved] serious security bug (34 posts)

  1. RMJ
    Member
    Posted 1 year ago #

    I was today fooling around on my site, updated this plugin (I had and old 1.x modified version on my site because the old one didn't work as I liked on few pages when I first installed it). Later when I already thought everything was running just fine, I posted a link of one page on Facebook and got surprised the misformed preview the Facebook gave for my post (image missing and description had parts of image link). First I

    Quick look into source code of the page showed the pretty serious bug. This is exactly what the Nextgen FB plugin had written to source:
    <meta property="og:image" content="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" />

    I use Exec-PGP plugin which allows adding PHP code into the content of the page. Nextgen FB plugin seems to copy the content as is without any check of possible code in it.

    What I had written on my page in wordpress:
    <div class="image"><div class="date">2012-12-29</div><div><img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" alt="" /></div></div>

    In my case, I was lucky it's quite harmless what happened to be on that one page within img tag. But I can imagine the harm done if some runs more complex scripts there, maybe even DB queries with passwords hard coded there!

    Note that the Exec-PHP was operating normally when viewing the page, so wordpress itself did parse the content normally before showing it.

    http://wordpress.org/extend/plugins/nextgen-facebook/

  2. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    RMJ,

    Let's not get ahead of ourselves -- NGFB ran and picked up code before it could be executed. The code is output from PHP, not input.

    All plugins are executed in a certain order, depending on their priority. Most plugins have a priority of "10", including the NGFB function that adds the meta tags. If you were to change the priority on this line from "10" to perhaps "20" or more, your problem should go away.

    add_filter( 'wp_head', 'ngfb_add_meta_tags', 10 );

    I will make this change in v2.1.2, and also filter the og:image tag as I do most others (like og:description).

    Let me know if the change in priority fixes your issue.

    Thanks,

    js.

  3. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    RMJ,

    I just uploaded a new version with the change I suggested above, and some additional sanitation of OG values. Give v2.1.2 a try and let me know if that fixes your issue.

    Thanks,

    js.

  4. RMJ
    Member
    Posted 1 year ago #

    Okey, good to know. I thought it might have been something to do in the order the plugins work but didn't even had time to find out if I could change it.

    But I guess by default it might be good then to run this plugin a bit later in the order to avoid such situation.

    I will try out the new version today and let you know how it goes in my site.

  5. RMJ
    Member
    Posted 1 year ago #

    I updated the plugin and tried the same code as I had before.

    The problem now is that it completely igonores the PHP code (or it's output), resulting in partial url (just the relative path). Because the image path is now incomplete, Facebook won't fetch the image and throws error:

    The meta tag now says:
    <meta property="og:image" content="/resources/images/agenda/agenda-20130105-hedbomusiquemag.png">

    Whilst the source code (of the first image) later says:
    <img src="http://www.MYSITE.com/resources/images/agenda/agenda-20130105-hedbomusiquemag.png" alt="" />

    That happens when using my earlier code:
    <img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20130105-hedbomusiquemag.png" alt="" />

    Due to relative path inside the meta tag, Facebook is not able to process it. (interestingly enough they won't try to fetch it from the base domain if relative path is given)

    Here is quote from the Facebook (home > tools > debugger) :

    Errors That Must Be Fixed
    Object Invalid Value: Object at URL 'http://www.MYSITE.com/agenda/' of type 'article' is invalid because the given value '/resources/images/agenda/agenda-20130105-hedbomusiquemag.png' for property 'og:image:url' could not be parsed as type 'url'.

    It actually might work if I weren't using permalinks. I don't know if FB is trying to fetch the image from MYSITE.com/agenda/resources/ instead of the real path MYSITE.com/resources/

    Either way, the meta tag should include the full path to avoid such a problem.

    BTW,
    I changed from the plugin source the filter setting from 20 back to 10 and it does not show anymore the PHP code (or anything at all) in the source when running the site. That's a good thing. Even going all the way to 1 won't get the PHP code outputted so that surely fixes the security problem. Now the problem is just how to get the PHP parsed and to output the proper url there.

  6. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Hm... My guess is the plugin is going to "the_content" to get that img URL, and in your content, you must have some uninterpreted PHP. Since the OG meta tags are created in the_head, I should be able to pass the content through a "the_content" filter... Just to make sure, could you turn on debug mode (check-box near the bottom of the options page) and give me the URL to that webpage? I'll have a look at the page source to make sure that img URL is really being picked up from the content. I should be able to update the plugin later today.

    Thanks,

    js.

  7. RMJ
    Member
    Posted 1 year ago #

    It's in debug mode now:

    http://www.alizeeart.com/agenda/

    The debug information seems to confirm the problem.

  8. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Yeah, that's what I suspected:

    image_source = preg_match_all / img src / <?php echo site_url(); ?>/resources/images/agenda/agenda-20130105-hedbomusiquemag.png

    As a last resort, NGFB looks in the content for an <img> tag. It found one, but the content has not been rendered enough to complete the URL.

    The sanitation code I added to 2.1.2 takes care of stripping the PHP, but that doesn't fix the issue. ;-)

    Could you test the current development version at http://downloads.wordpress.org/plugin/nextgen-facebook.zip? I added an "apply_filters()" function which should fix the problem.

    BTW, very nice site design. Clean and attractive.

    Thanks,

    js.

  9. RMJ
    Member
    Posted 1 year ago #

    Thanks for the comment. :)

    Anyways, I tried the development version and it's not a change to good direction. It picks up the "thumblr" image this time.

    From the source code:

    Debug Array:
    	image_source = preg_match_all / img src / http://platform.tumblr.com/v1/share_2.png

    Why it doesn't see the same image as before ? (nothing has changed on my page) Also a bit strange that it picks up a image generated by the script itself.

  10. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Ah. Yeah, that makes sense -- it grabs the first <img> it finds.

    It picks up an image from the button because it runs apply_filters('the_content') on the text, and the social buttons are part of the_content.

    Easy fix. Give me 5 mins. ;-)

    js.

  11. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Alright, give the development version another go:

    http://downloads.wordpress.org/plugin/nextgen-facebook.zip

    :)

    Thanks,

    js.

  12. RMJ
    Member
    Posted 1 year ago #

    Okey great, I'll be waiting for the next version.

    I found the offending line in the code but as I don't know the sytem well enough, don't even know where to start fixing it. So better wait for your fix. :)

  13. RMJ
    Member
    Posted 1 year ago #

    Well, I got now the new version up and running and looks like it fixes the problem. :)

    Debug Array:
    	image_source = preg_match_all / img src / http://www.alizeeart.com/resources/images/agenda/agenda-20130105-hedbomusiquemag.png
    -->

    Thanks a lot. I will fool around to see if everything works.

    edit:
    It passes through FB debugger just fine too.

  14. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Excellent - glad I could help.

    js.

  15. RMJ
    Member
    Posted 1 year ago #

    Mmm...

    All the other pages containing PHP (in the page content) are now dead. No content is generated for them. (including main page)

    It happens with both development versions, so it must be related to your first try to fix it.

    I changed back to the official 2.1.2 release and it works (with wrong image of course).

  16. RMJ
    Member
    Posted 1 year ago #

    simple script like <?php echo "test" ?> works just fine but if I have more complex it breaks the page.

  17. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Hm. I've had so-so results with using apply_filters('the_content'), which is why I wasn't using it. On my end, it break's NextGEN Gallery's album shortcode, so I added a check for that specific shortcode:

    $content = $post->post_content;
                            // the_content filter breaks the ngg album shortcode
                            if ( ! preg_match( '/\[ *album[ =]/', $content ) ) {
                                    $content = apply_filters( 'the_content', $content );
                                    $content = str_replace(']]>', ']]>', $content);
                                    $content = preg_replace( '/[\r\n\t ]+/s', ' ', $content );      // put everything on one line
    
                                    // remove the social buttons that may have been added
                                    $ngfb_msg = 'NextGEN Facebook OG Social Buttons';
                                    $content = preg_replace( "/<!-- $ngfb_msg BEGIN -->.*<!-- $ngfb_msg END -->/", ' ', $content );
                            }

    Do you have access to the web server's log files? Is there anything in the error log?

    What plugin are you using to render that PHP code?

    Thanks,

    js.

  18. RMJ
    Member
    Posted 1 year ago #

    Mmm, actually it's the first @include that breaks it.

    I'm including some functions for the page like this and it seems to break it.

    <?php @include('/path/to/php.file'); ?>

    The file has few functions but the page breaks no matter if I try to call them or not. No extra lines before or after php brackets (inside the include file), and it doesn't output anything (inside nor outside the functions).

    I will have to check logs for more information.

    I used Exec-PHP plugin.

  19. RMJ
    Member
    Posted 1 year ago #

    The page break if I add

    <?php
    function any_function() {
    }
    ?>

    So the include propably works but it dies when (something is) trying to parse the function.

  20. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    As far as I can tell, using apply_filters('the_content') is perfectly ok, BUT from my experience -- as I've said earlier -- some plugins don't react well (NextGEN Gallery's [album] shortcode is one of those).

    So, I'm not that surprised that Exec-PHP breaks. I'll have to look at it's code and see if I can figure out where the problem is...

    BTW, you might want to take a look at this:

    http://wordpress.org/support/topic/plugin-exec-php-minor-patch-to-fix-depreciated-code?replies=1

    ;-)

    js.

  21. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Do you have anything in your logs?

    Exec-PHP basically does this:

    add_filter('the_content', array(&$this, 'filter_user_content'), 1);

    Which adds itself as filter to the_content with the highest priority (most plugins are at 10).

    filter_widget_content($content) checks access and then runs;

    return $this->eval_php($content);

    I suspect something in eval_php() must not be compatible...

    function eval_php($content)
            {
                    // to be compatible with older PHP4 installations
                    // don't use fancy ob_XXX shortcut functions
                    ob_start();
                    eval("?>$content<?php ");
                    $output = ob_get_contents();
                    ob_end_clean();
                    return $output;
            }

    It could be a memory or PHP resource issue. Do have access to your web server's error log? PHP errors usually show up there. How much memory do you have allocated to PHP?

    You might want to have a look at http://codex.wordpress.org/Debugging_in_WordPress.

    I'm off for today.

    Take care,

    js.

  22. RMJ
    Member
    Posted 1 year ago #

    Okey, I will look into that patch and also check my logs to see more about it.

    I put now the official version on the site so it stays up... I guess I have to put up test wp install to figure this out, can't really keep killing the site.

    But yeah, at the moment it seems introducing any function in the page kills it. Anything simple works fine, I can

    I tried one more thing, instead using the functions, I put the code from the function where I need the code and everything works fine. So it really is the function (call?) that doesn't work anymore. I could live with that, but it surely complicates things on some pages when I have to to call the same code many times.

    edit:
    I did not yet have time to check the logs as I came up with another problem. I turned on error messages on my php server but for reason or another it caused one option to disable itself and another site broke... took me a while to figure out what that was.

    And yeah, I have root access so I can check everything. Will do it tonight.

  23. RMJ
    Member
    Posted 1 year ago #

    The error I get when declaring new function.

    Fatal error: Cannot redeclare new_function() (previously declared in /home/admin/test1/wp-content/plugins/exec-php/includes/runtime.php(42) : eval()'d code:10) in /home/admin/test1/wp-content/plugins/exec-php/includes/runtime.php(42) : eval()'d code on line 10

    I searched a bit about it but couldn't yet find any solution. I found some earlier talk about such error but no resolution.

    If I comment out this filter line from your source, then the error goes away but obivously also the fix goes away and I get again the php posted in the meta tag.

    $content = apply_filters( 'the_content', $content );

    The redeclaring sounds like the same PHP code would get parsed twice because of applying this filter.

    It's now too late to dig up any deeper but tomorrow have to see what's going on.

  24. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    RMJ,

    I have a new version for you to try. Download http://downloads.wordpress.org/plugin/nextgen-facebook.zip again and uncheck a new option at the bottom called "Filter Content for Meta Tags". That will disable the content filtering.

    I've added a fix for relative URLs in the IMG SRC string, so that should (I hope) compensate for the stripping of the PHP code there. ;-)

    There are a few other changes, but it's all 'under the hood' stuff...

    Thanks,

    js.

  25. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    RMJ,

    In your PHP code, you might want to use:

    if (! function_exists('your_function_name') {
        function your_function_name() {
        }
    }

    And I think you're using "include" as well, right? You might want to use "include_once" instead.

    With that, maybe exec-php will be compatible with WP's apply_filters('the_content') function...

    js.

  26. RMJ
    Member
    Posted 1 year ago #

    Happy new year!

    I installed the newest dev version on my test site and well... It doesn't exactly fix the problem. No notable change to the behaviour: declaring function causes it to be declared multiple times and results in PHP error that breaks the page.

    However, I did try include_once and it fixes the redeclaring functions. So, technically it's a working work around at the moment. The bug itself still exists of course and if I try to type the function directly on the page (not in incldue file) then it will be problem again (altho checking if the function exists would propably solve it also but that's a again work around, not a fix).

    Now that I have got my functions running and includes working, I see the next bug...

    This one is strange... firstly, if I have include() inside my file that was inluded with include_once(), then the second include will be run multiple times again, which I don't understand... of course the problem goes away again if i change also that other include to include_once(). But I have absolutely no idea why the include gets run muliple times when at the same time existing functions in that file doesn't get declared twice... This might be some PHP strangess so I'm not gonna put my time to look a solution for this... just thought I'd mention it.

    The second bug, equally strange, if not even stranger...

    Now, if I include a file that doesn't have functions inside it (so basically it's just a script itself that should get run from the beginning to the end), I get no output at all! In fact, nothing gets run in that script! The whole file content is simply is ignored like a comment...

    So for example, if I include a file that has:

    <?php
    echo "hello from include file!";
    ?>

    Absolutely nothing gets outputted !

    However, I found work around for this also. If I wrap that all in function and call it (from the page, where I first include the script), it gets run just fine. This is a working work around but a bit annoying as I have to change all my scripts and add everything in them inside a function.

    So, with the code above, I have to change it to:

    <?php
    function script_inside_include_file() {
    echo "hello from include file!";
    }
    ?>

    And then call it from the page to get it run. Yes, it works but rather annoying. And on a big site it would be pain in the butt to change all scripts like that (on my case there is thankfully only maybe half a dozen pages I need to fix).

    So, that's what I know so far...

    You can see the development version in action at
    http://test1.alizeeart.com

    It's a copy of the original site. Pages I'm currently debuggin are the main page (got include because I grab the "aligram" photo from database), also the agenda page of course as it all started from that (it works correctly btw), and now I have this new headache with Aligram and Wallpapers pages, where I have included a script does render the whole content of the page and as it's not originally written inside functions (well, surely it has them too, but I mean in general it's run from the top to bottom), so those pages stopped working as nothing gets run from the script.

    BTW, I commented out part of your code where you check that the image grabbed from url must be over 150 pixels. The agenda page started showing my default image because the small images in agenda page are only 160x90 pixels but I want them to be used and show up on facebook.

    So in my install the plugin now has:

    // if we're picking up an img for src, make sure it's width and height is large enough
    					if ( $src == 'share' || ( $src == 'src'  ) ) {

    insdead of:

    // if we're picking up an img for src, make sure it's width and height is large enough
    					if ( $src == 'share' || ( $src == 'src' && $width >= $size['width'] && $height >= $size['height'] ) ) {

    I think it should be an option to allow smaller images also. Or at least there should be an option to set up the minimum width and height.

  27. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    Ok, that's quite a bit of info there... :-)

    Using function_exists and include_once is the way to go -- using apply_filters('the_content') is quite common, so you may want to fix your code for future plugins you may use.

    On a related note, I have to put NGFB functions within a class and use a class_exists() check myself -- just in case. ;-)

    BTW, have a look at the bottom of the FAQ for "Why does NextGEN Facebook OG ignore the IMG HTML tag in my content?". Facebook and others might reject your image because it's too small...

    js.

  28. RMJ
    Member
    Posted 1 year ago #

    Yeah, I guess I keep using them. Surely it won't hurt to use them.

    The only big problem now is that the scripts don't get run when included, unless written into functions. But I have absolutely no idea what to do about it. So I guess I just have to live with it.

    About those images, Well, at least those 160x90 pictures don't get rejected by facebook. Maybe checking if one dimension exceeds the limit would be enough?

  29. JS Morisset
    Member
    Plugin Author

    Posted 1 year ago #

    RMJ,

    I just checked-in v2.3 in the trunk. Please download and install the DEV version again at http://downloads.wordpress.org/plugin/nextgen-facebook.zip.

    There are a lot of changes in this version, including one for you. ;-) Add the following to your wp-config.php (or template header.php):

    define( 'NGFB_MIN_IMG_SIZE_DISABLE', true );

    That will disable the image size check. The other changes are:

    * Renamed DISABLE_NGFB_OPEN_GRAPH_DISABLE constant to NGFB_OPEN_GRAPH_DISABLE (though both are allowed).
    * Added the NGFB_MIN_IMG_SIZE_DISABLE constant to disable minimum width and height checks for IMG SRC attributes.
    * Added the StumbleUpon social sharing button.
    * Added a "Preferred Order" option to control the order in which buttons appear.
    * Moved the javascript used by all buttons into the footer section.
    * Moved the admin settings page code into plugins/nextgen-facebook/lib/admin.php.
    * Moved the widget code into plugins/nextgen-facebook/lib/widgets.php.
    * Added the ngfbLoader class and started moving functions into it.

    Thanks,

    js.

  30. RMJ
    Member
    Posted 1 year ago #

    Okey, coo, I will give it a try.

    I noticed the 2.3 and it is actually running on my site (with image size check commneted out). So it's working quite nicely now, well, after the changes I had to make to my scripts.

    But I will install this dev version now and see how it works.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags