Security Check Failure when Adding Comments to Photos

Resolved tansk
(@tansk)

5 years, 4 months ago

I have encountered this error when adding a Comment. It works fine, but hits an error in my situation. I found a undesirable temporary bypass, and looking for a more permanent solution

My situation is this :

I have developed a direct time limited login token that is appended to the URL and works well with several pluggins. It takes the form http://WWW.ABCXYZ.COM?security_token=abcd….

I sent out an email to my members to add comments to a photo_id 1234 by calling :
https:///WWW.ABCXYZ.COM/add-photo-comments/?security_token=abcd….&photo_id=1234

It logs in correctly and calls the page add-photo-comments which has a short code – and in turn triggers the function : echo do_shortcode(‘[wppa type=”xphoto” photo=”‘.$photo_id.'” size=”0.75″ align=”center”]’);

The photo and the comments page is displayed, ready for comment and the rating to be aded.

However when entering the comment, I get a message “Security Check Failure”

If I change the rating, I also get an error with Error Code 100.

The problem is fixed (temporarily) if I bypass the security check in wppa-ajax.php (Version 7.0.01 ) from line 442 to 445

Rather by bypass it (I know I should not be doing it, but was part of the troubleshooting process), what can be done to have a more permanent solution? Looks like some preconditions need to be set for it to pass the security check.

Thanks

Viewing 15 replies - 1 through 15 (of 20 total)

1 2 →

Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago
You need the following arguments in the ajax call:

&moccur=1 ( may be any integer number, usually the sequence number of the wppa instance on the page, let’s call it $moccur ),
&wppa-nonce= the value generated by the wp function:
wp_create_nnce( 'wppa-nonce-' . $moccur );

If these arguments are present and match (= based on the same $moccur) you will pass the security check.

So, if you have &moccur=7 you should add
&wppa-nonce={the value of: wp_create_nnce( 'wppa-nonce-7' );}

I have encountered this error when adding a Comment. It works fine, but hits an error in my situation.

I would like to know why you need this; what do you want to do that is not possible using the standard features. In other words: pls explain what you mean by ‘my situation’.
- This reply was modified 5 years, 4 months ago by Jacob N. Breetvelt. Reason: Fixed typos
Thread Starter tansk
(@tansk)

5 years, 4 months ago

Thanks for the fast response.

My situation is this… I run an alumni site and the system pushes out a weekly email which includes 2 random photos. I’m giving them the ability to click on the photo, which will autolog them into the site, leading to that photo so that they can add comments to it.

Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago

You could make a page with shortcode [wppa type="landing"] and create a link in the email like:

https://betatest.opajaap.nl/landin-page/?wppa-occur=1&wppa-single=1&wppa-album=5&wppa-photo=5584

Try the link, its live (for the moment)

Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago

BTW: for the rating you need:

&wppa-rating= ( a number in the range from 1 to 5 or 10, or -1 for dislike, depends on your settings for ratimng size )
&wppa-occur=1
&wppa-nonce= the result of `wp_create_nnce( ‘wppa-check’ );
Thread Starter tansk
(@tansk)

5 years, 4 months ago
I am getting some odd results.

Here’s what Im using to generate the nonce :

$mocc=1;
$wppa_value = wp_create_nonce(‘wppa-nonce-‘.$mocc);
$wppa_token=”&moccur=”.$mocc.”&wppa-nonce=”.$wppa_value;

I then add the token to the URL : (137 is the photo_id)

URL …. 69e9027a&moccur=1&wppa-nonce=6fdc8660cf&parameter=137

I then do a check on the values passed at line 441 in wppa-ajax.php
echo “XXXXXX “.$mocc .” “.$nonce .” “.$photoid ;

if ( ! wp_verify_nonce( $nonce, ‘wppa-nonce-‘.$mocc ) ) {
_e( ‘XXXSecurity check failure’ , ‘wp-photo-album-plus’);

The value that is echoed are :
XXXXXX 1 e20fa4b7c7 137XXXSecurity check failure

The wppa_nonce value is somehow modified from 6fdc8660cf to e20fa4b7c7
- This reply was modified 5 years, 4 months ago by tansk.
- This reply was modified 5 years, 4 months ago by tansk.
Thread Starter tansk
(@tansk)

5 years, 4 months ago
I have just tried using the landing page suggestion – the url succesfully logs into the site thru my direct login routine, and calls out the photo (I prefer this layout than type=xphoto shortcode which I have been using).

On adding the comments I get the same security check failure. The nonce value got changed.

URL :
9027a&moccur=1&wppa-nonce=ffa9aaf8ce&wppa-occur=1&wppa-single=1&wppa-album=17&wppa-photo=164

Echo code in 441 :
XXXXXX 1 e172344621 164XXXSecurity check failure

Again the ffa9aaf8ce value is received as e172344621 , I think if we can solve this, both approaches will work.
- This reply was modified 5 years, 4 months ago by tansk.
Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago
I think the problem is with your login procedure.
The nonce value is dependant of login status and time. Maybe the login url args should also be included in the ajax calls and that is un-doable.

I have an idea for a different approach:

Try this:
– UNtick Table IV-F1: Comment login. They need not to login
– Untick Table IV-E1: Rating login. They need not to login
– Tick Table IV-A6.1: Enable encrypted links
– Tick Table IV-A6.2: Refuse unencrypted

Now they need not to login, but they can not guess a photo or album identifier.

Try this link: ( &wppa-xxx is equivalent to &xxx ), Tick Table IV-A5: Use short query args.

https://betatest.opajaap.nl/landin-page/?occur=1&single=1&album=40kMMnA6ursF&photo=382T9Q24UFii

You can make such a link as follows (example for the link above on my test site):
```
<?php
$page  = 840;  // Landing page id
$album = 5;    // Album id
$photo = 5584; // Photo id
$link  = get_permalink( $page ) . '?occur=1&single=1&album=' . wppa_get_album_item( $album, 'crypt' ) . '&photo=' . wppa_get_photo_item( $photo, 'crypt' );
```
You can make the link more crypyic by using Table IV-A6: Enable prety links:

‘Classic’: (This one works even when my setting of IV-A6 = ‘none’ )
https://betatest.opajaap.nl/landin-page/wppaspec/oc1/si1/ab40kMMnA6ursF/pt382T9Q24UFii

‘Compressed’: (This one does not work now because my setting of IV-A6 = ‘none’ )
https://betatest.opajaap.nl/landin-page/-//1/40kMMnA6ursF/382T9Q24UFii///////////1

Now you have the full security, no special things to do for your users, and believed to be not hackable to enter comments or ratings to other photos.
Make sure other pages with slideshows are login protected, because no need to login for comments and ratings is system wide.
Thread Starter tansk
(@tansk)

5 years, 4 months ago
Thanks for spending so much time on helping with this. I now understand why the nonce approach does not work as the user may click on it a day later and a different nonce is generated.

The new approach you suggested will not work for me as I want to log the user who made the comment. The landing page does ask for an email & a name – but I dont think the users will want to key the info in each time they want to make a comment.

How about adding a ‘permanent nonce’ as an alternative.

This can be an unique wppa-salt value visible in the WPPA setup and one can embed a url_salt into the URL to verif against it. (ie …&url_salt=2837424651&…)

Then in the wppa-ajax, line 442 can be

if (( ! wp_verify_nonce( $nonce, ‘wppa-nonce-‘.$mocc ) ) or !wppa_verify_salt(wppa_salt, url_salt))

Will this work? Is this a possible approach – for the next release?
- This reply was modified 5 years, 4 months ago by tansk.
Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago

In Table IV-F4 you can switch off the need for the email.

If you accept the need to use the crypts for both album and photo ids, i could make a setting that bypasses the nonce check if – for the comment – both crypts are valid, and for the rating: the photo crypt is valid.

Another thing that may be usefull for you: You can invalidate ‘old’ emails by renewing the crypts (Table VII-A 13, 13.1, 14, 14.1)

Thread Starter tansk
(@tansk)

5 years, 4 months ago

Jacob,

I am OK with using the crypts for both the albums and the photo ids.

Do make the bypass setting. Many thanks.

Will this also handle the bypass for ratings?

I’ll look into the invalidation of old emails (Table VIII) later on whether I should set them on.

Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago

Yes, same for ratings.
Will be implemented in 7.0.03, available in a few days.

Thread Starter tansk
(@tansk)

5 years, 4 months ago

Great. Will look out for it.

Thanks.

Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago

Pls update to 7.0.03, and tick the box in Table IX-A14.

I called it Direct comment Enable direct commenting and rating from remote source

The helptext is:

This setting has only effect when Table IV-A6.1 and 6.2 are ticked
Use with care, and only in specisl situations! The default for this setting is: no: Unchecked

It should work now. Pls keep me informed

Thread Starter tansk
(@tansk)

5 years, 4 months ago

Yes it works. Great. Thanks.

I’m not sure if this is a bug or specific to my site.

When using the encrypted links (Table IV, 6.1 & 6.2), the WPPA + Comments on Photos widget cannot retrieve the photo. I get an error message of “No photos found matching your search criteria.”

When not using the encrypted links the widget works OK.

The WPPA + Last Ten Photos widget works with both encrypted and plain links

Plugin Author Jacob N. Breetvelt
(@opajaap)

5 years, 4 months ago

Thanx for the feedback.

What is your setting in Table VI-7: Link type?