Support » Plugin: Smart Layers by AddThis » Security issue: plugin acess to admin-ajax.php

  • Resolved Alexey

    (@dvascheta)


    Hello!

    After yesterday update I found out that plugin now needs access to /wp-admin/admin-ajax.php when loading all pages. I have .htpasswd protection of wp-admin directory, so when you open any page you see login-password dialog.

    Found

    <script type='text/javascript' src='http://mysite.com/wp-admin/admin-ajax.php?action=addthis_global_options_settings'></script>

    I’m sure it wasn’t here before update.

    Looked in settings and found “AJAX Support (Experimental)” but either checking or unchecking it doesn’t influence this string of code.

    Disabling the plugin also doesn’t help. Had to uninstall it, because wp-admin password protection is greate ussue for me.

    Please do smth to exclude this line from pages code (for example exclude it when your experimental checkbox is not set), or give another solution, other way I can’t use the plugin. Hope I’m not alone with this problem.

    Thanks in advance.

    https://wordpress.org/plugins/addthis-smart-layers/

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author Julka Grodel

    (@jgrodel)

    Hello dvascheta

    On the plugin’s Advanced Settings page if you check the Asynchronous Loading checkbox the JavaScript from file will be echoed right onto the page instead of included via a URL.

    However, the admin pages for this plugin requires the use of admin-ajax.php and there is no work around for editing the settings for this plugin without it.

    All of the admin-ajax.php endpoints created by this plugin either expose harmless data, or first check the current user’s permissions before including sensitive information (such as your AddThis API key).

    Thanks,
    Julka

    Hello, Julka!

    Thanks!

    No, it doesn’t help. Installed plugin again and checked Asynchronous Loading. Code is still in pages causing login dialog. And also I remember that when I set it later, neither layers not buttons were displayed with this checkbox.

    Regards,
    Alexey.

    Now I can’t see share pannel at all. Even with default settings.

    After few installs and uninstalls I have this string of code in the header and can’t cut it off! Even after total plugin uninstall!

    Blame Smart layers by Addthis!

    Perhaps need to clean files and database manually… =/

    Recovered site from backup. Have not time and desire to debug this plugin. Will look for some alternates.

    Plugin Author Julka Grodel

    (@jgrodel)

    Hi Alexey.

    I just tested this on a new WordPress 4.5.3 instance with the most recent (2.0.0) version of this plugin. Selecting Asynchronous Loading removed the admin-ajax.php URL.

    If you’re not seeing the changes, and especially since you’re still seeing AddThis code after uninstalling the plugin, it sounds like you’re using a caching plugin. Do you have any caching plugins that haven’t been cleared since the change?

    Thanks,
    Julka

    Hi, Julka,

    Not, I don’t. Used one but uninstalled a year ago.

    Alexey.

    I remember this feature (Asynchronous Loading), it was ver. 1 of plugin. It doesn’t work for me. I.e. when I turned it on, I didn’t see neither panel, nor buttons in posts and pages.

    Hi, Julka,

    Sorry, found out that even being disabled caching plugin continues to generate cache!

    Nevertheless I can’t use plugin, because with Asynchronous Loading switched on I see no buttons at all, and when switched off have security issue.

    So to stay with AddThis I think I shoud either enable everyone access to admin-ajax.php (which is not good for me) or install AddThis panel as a script manually without plugin (probably will try), or stay with plugin ver. 1 (I do now).

    But it will be nice if you release plugin version without Ajax on the front. It’s not good to use files located in wp-admin for the front. Admin area with all its files should be only for admin purposes. Using Ajax in admin panel is no problem, when I enter admin area, I enter additional login and password.

    Plugin worked without Ajax on the front in ver 1 and hope it could do so further.

    Regards,
    Alexey.

    Plugin Author Julka Grodel

    (@jgrodel)

    Some themes don’t follow WordPress conventions and skip calling wp_head and wp_footer when creating a pages header or footer (and some do so inconsistently in some templates but not others). In these themes, AddThis scripts can’t be added onto the page when Asynchronous Loading is enabled. If your theme supports widget areas then you can work around it by using the AddThis Script widget included in the plugin. For most themes, this widget won’t show up visually on the page, but that ultimately depends on the styles your theme has for widget containers.

    Yes, but I use Twenty Eleven. It’s hard to imagine smth more native for WP.

    Thank you for your feedback and given workaround. But still looking forward for plugin version without Ajax and calling service files intended for admin area.

    Plugin Author Julka Grodel

    (@jgrodel)

    We test with Twenty Eleven and the other WP native themes. I just re-ran those tests in a clean WordPress install. Everything worked as expected for me. You might have another plugin messing with wp_head or wp_footer output.

    Yes, may be, but it will be hard to find which one and even if I do, brobably I will not switch off another plugin to let AddThis work properly.

    In my oppinion, you loaded it with too many functions. It’s just social buttons, nothing more and they should stay only social buttons.

    Your plugins were hard to configure, they had conflicts from the very beginning as I started to use them. It’s also hard to configure the certain set of buttons I want to be shown on the site.

    I remember that the last time I spent much time to write the code. I even saved it not to write it again, but when I installed ver. 2 of the plugin, I found out that this piece of code doesn’t work! Plugin told me it’s not a valid Json, but I had no idea what is a valid json, I just had a code that worked in ver.1 but not in ver.2.

    Later I found that I had to change single quotes to double and also cover few other words with quotes. And all your plugin consists of such little bugs, disconnects and misunerstandings.

    The only reason why I use it — it is backoffice with statistics. It’s really a good idea. But even there I have problems. For more than a year I wrote to your support because I see (and receive emails) not only for my site but also for two another which are not mine. Nobody could help me so I just cocnfigured filter in email box not to see emails with statistics for other sites.

    Please try to understand me. I do not want just to blame your creature. Social buttons is not very complicated thing. And plugin for it should be lightweight and simple. It shoud create no problems and be inconspicuous. But yours isn’t! Instead of installing and forgetting I spend time to show you how can make it better. And you telling me that there is smth not right with my site. No! My site is ok. May be your plugin conflicts with another one. May be it is seo or security plugin. How do you think, will I change security plugin to let social buttons work? No! And no one will!

    Regards,
    Alexey.

    Plugin Author Julka Grodel

    (@jgrodel)

    Alexey ,

    If there’s a way too add dynamically generated JavaScript onto a WordPress site without using admin-ajax.php, and without echoing it out directly on the page with wp_head, wp_footer, a widget or a shortcode, we would be interested in exploring it. At the moment we only support those five ways, and I don’t know of any others.

    Thanks,
    Julka

    Hello, Julka,

    Unfortunately I do not know programming languages used for web. I just know other use js for social buttons.

    Regards,
    Alexey.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Security issue: plugin acess to admin-ajax.php’ is closed to new replies.