• Resolved RMJ

    (@rmj)


    I was today fooling around on my site, updated this plugin (I had and old 1.x modified version on my site because the old one didn’t work as I liked on few pages when I first installed it). Later when I already thought everything was running just fine, I posted a link of one page on Facebook and got surprised the misformed preview the Facebook gave for my post (image missing and description had parts of image link). First I

    Quick look into source code of the page showed the pretty serious bug. This is exactly what the Nextgen FB plugin had written to source:
    <meta property="og:image" content="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" />

    I use Exec-PGP plugin which allows adding PHP code into the content of the page. Nextgen FB plugin seems to copy the content as is without any check of possible code in it.

    What I had written on my page in wordpress:
    <div class="image"><div class="date">2012-12-29</div><div><img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" alt="" /></div></div>

    In my case, I was lucky it’s quite harmless what happened to be on that one page within img tag. But I can imagine the harm done if some runs more complex scripts there, maybe even DB queries with passwords hard coded there!

    Note that the Exec-PHP was operating normally when viewing the page, so wordpress itself did parse the content normally before showing it.

    http://wordpress.org/extend/plugins/nextgen-facebook/

Viewing 15 replies - 1 through 15 (of 33 total)
  • Plugin Author JS Morisset

    (@jsmoriss)

    RMJ,

    Let’s not get ahead of ourselves — NGFB ran and picked up code before it could be executed. The code is output from PHP, not input.

    All plugins are executed in a certain order, depending on their priority. Most plugins have a priority of “10”, including the NGFB function that adds the meta tags. If you were to change the priority on this line from “10” to perhaps “20” or more, your problem should go away.

    add_filter( 'wp_head', 'ngfb_add_meta_tags', 10 );

    I will make this change in v2.1.2, and also filter the og:image tag as I do most others (like og:description).

    Let me know if the change in priority fixes your issue.

    Thanks,

    js.

    Plugin Author JS Morisset

    (@jsmoriss)

    RMJ,

    I just uploaded a new version with the change I suggested above, and some additional sanitation of OG values. Give v2.1.2 a try and let me know if that fixes your issue.

    Thanks,

    js.

    Okey, good to know. I thought it might have been something to do in the order the plugins work but didn’t even had time to find out if I could change it.

    But I guess by default it might be good then to run this plugin a bit later in the order to avoid such situation.

    I will try out the new version today and let you know how it goes in my site.

    I updated the plugin and tried the same code as I had before.

    The problem now is that it completely igonores the PHP code (or it’s output), resulting in partial url (just the relative path). Because the image path is now incomplete, Facebook won’t fetch the image and throws error:

    The meta tag now says:
    <meta property="og:image" content="/resources/images/agenda/agenda-20130105-hedbomusiquemag.png">

    Whilst the source code (of the first image) later says:
    <img src="http://www.MYSITE.com/resources/images/agenda/agenda-20130105-hedbomusiquemag.png" alt="" />

    That happens when using my earlier code:
    <img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20130105-hedbomusiquemag.png" alt="" />

    Due to relative path inside the meta tag, Facebook is not able to process it. (interestingly enough they won’t try to fetch it from the base domain if relative path is given)

    Here is quote from the Facebook (home > tools > debugger) :

    Errors That Must Be Fixed
    Object Invalid Value: Object at URL ‘http://www.MYSITE.com/agenda/’ of type ‘article’ is invalid because the given value ‘/resources/images/agenda/agenda-20130105-hedbomusiquemag.png’ for property ‘og:image:url’ could not be parsed as type ‘url’.

    It actually might work if I weren’t using permalinks. I don’t know if FB is trying to fetch the image from MYSITE.com/agenda/resources/ instead of the real path MYSITE.com/resources/

    Either way, the meta tag should include the full path to avoid such a problem.

    BTW,
    I changed from the plugin source the filter setting from 20 back to 10 and it does not show anymore the PHP code (or anything at all) in the source when running the site. That’s a good thing. Even going all the way to 1 won’t get the PHP code outputted so that surely fixes the security problem. Now the problem is just how to get the PHP parsed and to output the proper url there.

    Plugin Author JS Morisset

    (@jsmoriss)

    Hm… My guess is the plugin is going to “the_content” to get that img URL, and in your content, you must have some uninterpreted PHP. Since the OG meta tags are created in the_head, I should be able to pass the content through a “the_content” filter… Just to make sure, could you turn on debug mode (check-box near the bottom of the options page) and give me the URL to that webpage? I’ll have a look at the page source to make sure that img URL is really being picked up from the content. I should be able to update the plugin later today.

    Thanks,

    js.

    It’s in debug mode now:

    http://www.alizeeart.com/agenda/

    The debug information seems to confirm the problem.

    Plugin Author JS Morisset

    (@jsmoriss)

    Yeah, that’s what I suspected:

    image_source = preg_match_all / img src / <?php echo site_url(); ?>/resources/images/agenda/agenda-20130105-hedbomusiquemag.png

    As a last resort, NGFB looks in the content for an <img> tag. It found one, but the content has not been rendered enough to complete the URL.

    The sanitation code I added to 2.1.2 takes care of stripping the PHP, but that doesn’t fix the issue. 😉

    Could you test the current development version at http://downloads.wordpress.org/plugin/nextgen-facebook.zip? I added an “apply_filters()” function which should fix the problem.

    BTW, very nice site design. Clean and attractive.

    Thanks,

    js.

    Thanks for the comment. 🙂

    Anyways, I tried the development version and it’s not a change to good direction. It picks up the “thumblr” image this time.

    From the source code:

    Debug Array:
    	image_source = preg_match_all / img src / http://platform.tumblr.com/v1/share_2.png

    Why it doesn’t see the same image as before ? (nothing has changed on my page) Also a bit strange that it picks up a image generated by the script itself.

    Plugin Author JS Morisset

    (@jsmoriss)

    Ah. Yeah, that makes sense — it grabs the first <img> it finds.

    It picks up an image from the button because it runs apply_filters(‘the_content’) on the text, and the social buttons are part of the_content.

    Easy fix. Give me 5 mins. 😉

    js.

    Plugin Author JS Morisset

    (@jsmoriss)

    Alright, give the development version another go:

    http://downloads.wordpress.org/plugin/nextgen-facebook.zip

    🙂

    Thanks,

    js.

    Okey great, I’ll be waiting for the next version.

    I found the offending line in the code but as I don’t know the sytem well enough, don’t even know where to start fixing it. So better wait for your fix. 🙂

    Well, I got now the new version up and running and looks like it fixes the problem. 🙂

    Debug Array:
    	image_source = preg_match_all / img src / http://www.alizeeart.com/resources/images/agenda/agenda-20130105-hedbomusiquemag.png
    -->

    Thanks a lot. I will fool around to see if everything works.

    edit:
    It passes through FB debugger just fine too.

    Plugin Author JS Morisset

    (@jsmoriss)

    Excellent – glad I could help.

    js.

    Mmm…

    All the other pages containing PHP (in the page content) are now dead. No content is generated for them. (including main page)

    It happens with both development versions, so it must be related to your first try to fix it.

    I changed back to the official 2.1.2 release and it works (with wrong image of course).

    simple script like <?php echo "test" ?> works just fine but if I have more complex it breaks the page.

Viewing 15 replies - 1 through 15 (of 33 total)
  • The topic ‘serious security bug’ is closed to new replies.