• Resolved RMJ


    I was today fooling around on my site, updated this plugin (I had and old 1.x modified version on my site because the old one didn’t work as I liked on few pages when I first installed it). Later when I already thought everything was running just fine, I posted a link of one page on Facebook and got surprised the misformed preview the Facebook gave for my post (image missing and description had parts of image link). First I

    Quick look into source code of the page showed the pretty serious bug. This is exactly what the Nextgen FB plugin had written to source:
    <meta property="og:image" content="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" />

    I use Exec-PGP plugin which allows adding PHP code into the content of the page. Nextgen FB plugin seems to copy the content as is without any check of possible code in it.

    What I had written on my page in wordpress:
    <div class="image"><div class="date">2012-12-29</div><div><img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20121229-dj.png" alt="" /></div></div>

    In my case, I was lucky it’s quite harmless what happened to be on that one page within img tag. But I can imagine the harm done if some runs more complex scripts there, maybe even DB queries with passwords hard coded there!

    Note that the Exec-PHP was operating normally when viewing the page, so wordpress itself did parse the content normally before showing it.


Viewing 15 replies - 16 through 30 (of 33 total)
  • Plugin Author JS Morisset


    Hm. I’ve had so-so results with using apply_filters(‘the_content’), which is why I wasn’t using it. On my end, it break’s NextGEN Gallery’s album shortcode, so I added a check for that specific shortcode:

    $content = $post->post_content;
                            // the_content filter breaks the ngg album shortcode
                            if ( ! preg_match( '/\[ *album[ =]/', $content ) ) {
                                    $content = apply_filters( 'the_content', $content );
                                    $content = str_replace(']]>', ']]>', $content);
                                    $content = preg_replace( '/[\r\n\t ]+/s', ' ', $content );      // put everything on one line
                                    // remove the social buttons that may have been added
                                    $ngfb_msg = 'NextGEN Facebook OG Social Buttons';
                                    $content = preg_replace( "/<!-- $ngfb_msg BEGIN -->.*<!-- $ngfb_msg END -->/", ' ', $content );

    Do you have access to the web server’s log files? Is there anything in the error log?

    What plugin are you using to render that PHP code?



    Mmm, actually it’s the first @include that breaks it.

    I’m including some functions for the page like this and it seems to break it.

    <?php @include('/path/to/php.file'); ?>

    The file has few functions but the page breaks no matter if I try to call them or not. No extra lines before or after php brackets (inside the include file), and it doesn’t output anything (inside nor outside the functions).

    I will have to check logs for more information.

    I used Exec-PHP plugin.

    The page break if I add

    function any_function() {

    So the include propably works but it dies when (something is) trying to parse the function.

    Plugin Author JS Morisset


    As far as I can tell, using apply_filters(‘the_content’) is perfectly ok, BUT from my experience — as I’ve said earlier — some plugins don’t react well (NextGEN Gallery’s [album] shortcode is one of those).

    So, I’m not that surprised that Exec-PHP breaks. I’ll have to look at it’s code and see if I can figure out where the problem is…

    BTW, you might want to take a look at this:




    Plugin Author JS Morisset


    Do you have anything in your logs?

    Exec-PHP basically does this:

    add_filter('the_content', array(&$this, 'filter_user_content'), 1);

    Which adds itself as filter to the_content with the highest priority (most plugins are at 10).

    filter_widget_content($content) checks access and then runs;

    return $this->eval_php($content);

    I suspect something in eval_php() must not be compatible…

    function eval_php($content)
                    // to be compatible with older PHP4 installations
                    // don't use fancy ob_XXX shortcut functions
                    eval("?>$content<?php ");
                    $output = ob_get_contents();
                    return $output;

    It could be a memory or PHP resource issue. Do have access to your web server’s error log? PHP errors usually show up there. How much memory do you have allocated to PHP?

    You might want to have a look at http://codex.wordpress.org/Debugging_in_WordPress.

    I’m off for today.

    Take care,


    Okey, I will look into that patch and also check my logs to see more about it.

    I put now the official version on the site so it stays up… I guess I have to put up test wp install to figure this out, can’t really keep killing the site.

    But yeah, at the moment it seems introducing any function in the page kills it. Anything simple works fine, I can

    I tried one more thing, instead using the functions, I put the code from the function where I need the code and everything works fine. So it really is the function (call?) that doesn’t work anymore. I could live with that, but it surely complicates things on some pages when I have to to call the same code many times.

    I did not yet have time to check the logs as I came up with another problem. I turned on error messages on my php server but for reason or another it caused one option to disable itself and another site broke… took me a while to figure out what that was.

    And yeah, I have root access so I can check everything. Will do it tonight.

    The error I get when declaring new function.

    Fatal error: Cannot redeclare new_function() (previously declared in /home/admin/test1/wp-content/plugins/exec-php/includes/runtime.php(42) : eval()'d code:10) in /home/admin/test1/wp-content/plugins/exec-php/includes/runtime.php(42) : eval()'d code on line 10

    I searched a bit about it but couldn’t yet find any solution. I found some earlier talk about such error but no resolution.

    If I comment out this filter line from your source, then the error goes away but obivously also the fix goes away and I get again the php posted in the meta tag.

    $content = apply_filters( 'the_content', $content );

    The redeclaring sounds like the same PHP code would get parsed twice because of applying this filter.

    It’s now too late to dig up any deeper but tomorrow have to see what’s going on.

    Plugin Author JS Morisset



    I have a new version for you to try. Download http://downloads.wordpress.org/plugin/nextgen-facebook.zip again and uncheck a new option at the bottom called “Filter Content for Meta Tags”. That will disable the content filtering.

    I’ve added a fix for relative URLs in the IMG SRC string, so that should (I hope) compensate for the stripping of the PHP code there. 😉

    There are a few other changes, but it’s all ‘under the hood’ stuff…



    Plugin Author JS Morisset



    In your PHP code, you might want to use:

    if (! function_exists('your_function_name') {
        function your_function_name() {

    And I think you’re using “include” as well, right? You might want to use “include_once” instead.

    With that, maybe exec-php will be compatible with WP’s apply_filters(‘the_content’) function…


    Happy new year!

    I installed the newest dev version on my test site and well… It doesn’t exactly fix the problem. No notable change to the behaviour: declaring function causes it to be declared multiple times and results in PHP error that breaks the page.

    However, I did try include_once and it fixes the redeclaring functions. So, technically it’s a working work around at the moment. The bug itself still exists of course and if I try to type the function directly on the page (not in incldue file) then it will be problem again (altho checking if the function exists would propably solve it also but that’s a again work around, not a fix).

    Now that I have got my functions running and includes working, I see the next bug…

    This one is strange… firstly, if I have include() inside my file that was inluded with include_once(), then the second include will be run multiple times again, which I don’t understand… of course the problem goes away again if i change also that other include to include_once(). But I have absolutely no idea why the include gets run muliple times when at the same time existing functions in that file doesn’t get declared twice… This might be some PHP strangess so I’m not gonna put my time to look a solution for this… just thought I’d mention it.

    The second bug, equally strange, if not even stranger…

    Now, if I include a file that doesn’t have functions inside it (so basically it’s just a script itself that should get run from the beginning to the end), I get no output at all! In fact, nothing gets run in that script! The whole file content is simply is ignored like a comment…

    So for example, if I include a file that has:

    echo "hello from include file!";

    Absolutely nothing gets outputted !

    However, I found work around for this also. If I wrap that all in function and call it (from the page, where I first include the script), it gets run just fine. This is a working work around but a bit annoying as I have to change all my scripts and add everything in them inside a function.

    So, with the code above, I have to change it to:

    function script_inside_include_file() {
    echo "hello from include file!";

    And then call it from the page to get it run. Yes, it works but rather annoying. And on a big site it would be pain in the butt to change all scripts like that (on my case there is thankfully only maybe half a dozen pages I need to fix).

    So, that’s what I know so far…

    You can see the development version in action at

    It’s a copy of the original site. Pages I’m currently debuggin are the main page (got include because I grab the “aligram” photo from database), also the agenda page of course as it all started from that (it works correctly btw), and now I have this new headache with Aligram and Wallpapers pages, where I have included a script does render the whole content of the page and as it’s not originally written inside functions (well, surely it has them too, but I mean in general it’s run from the top to bottom), so those pages stopped working as nothing gets run from the script.

    BTW, I commented out part of your code where you check that the image grabbed from url must be over 150 pixels. The agenda page started showing my default image because the small images in agenda page are only 160×90 pixels but I want them to be used and show up on facebook.

    So in my install the plugin now has:

    // if we're picking up an img for src, make sure it's width and height is large enough
    					if ( $src == 'share' || ( $src == 'src'  ) ) {

    insdead of:

    // if we're picking up an img for src, make sure it's width and height is large enough
    					if ( $src == 'share' || ( $src == 'src' && $width >= $size['width'] && $height >= $size['height'] ) ) {

    I think it should be an option to allow smaller images also. Or at least there should be an option to set up the minimum width and height.

    Plugin Author JS Morisset


    Ok, that’s quite a bit of info there… 🙂

    Using function_exists and include_once is the way to go — using apply_filters(‘the_content’) is quite common, so you may want to fix your code for future plugins you may use.

    On a related note, I have to put NGFB functions within a class and use a class_exists() check myself — just in case. 😉

    BTW, have a look at the bottom of the FAQ for “Why does NextGEN Facebook OG ignore the IMG HTML tag in my content?”. Facebook and others might reject your image because it’s too small…


    Yeah, I guess I keep using them. Surely it won’t hurt to use them.

    The only big problem now is that the scripts don’t get run when included, unless written into functions. But I have absolutely no idea what to do about it. So I guess I just have to live with it.

    About those images, Well, at least those 160×90 pictures don’t get rejected by facebook. Maybe checking if one dimension exceeds the limit would be enough?

    Plugin Author JS Morisset



    I just checked-in v2.3 in the trunk. Please download and install the DEV version again at http://downloads.wordpress.org/plugin/nextgen-facebook.zip.

    There are a lot of changes in this version, including one for you. 😉 Add the following to your wp-config.php (or template header.php):

    define( 'NGFB_MIN_IMG_SIZE_DISABLE', true );

    That will disable the image size check. The other changes are:

    * Renamed DISABLE_NGFB_OPEN_GRAPH_DISABLE constant to NGFB_OPEN_GRAPH_DISABLE (though both are allowed).
    * Added the NGFB_MIN_IMG_SIZE_DISABLE constant to disable minimum width and height checks for IMG SRC attributes.
    * Added the StumbleUpon social sharing button.
    * Added a “Preferred Order” option to control the order in which buttons appear.
    * Moved the javascript used by all buttons into the footer section.
    * Moved the admin settings page code into plugins/nextgen-facebook/lib/admin.php.
    * Moved the widget code into plugins/nextgen-facebook/lib/widgets.php.
    * Added the ngfbLoader class and started moving functions into it.



    Okey, coo, I will give it a try.

    I noticed the 2.3 and it is actually running on my site (with image size check commneted out). So it’s working quite nicely now, well, after the changes I had to make to my scripts.

    But I will install this dev version now and see how it works.

    The dev version completely breaks my social buttons. It’s maybe my theme’s fault. Is there some tag I should have in my footer.php because I don’t see the javascript written anywhere.

    Other than that it seems to be workign fine (also the disabling image size check).

    I get the html added into the source but the javascript doesn’t appera anywhere. This is the html part (should be fine):

    <!-- NextGEN Facebook OG Social Buttons BEGIN -->
    <div class="ngfb-content-buttons ngfb-buttons">
    <div class="facebook-button"><span class="fb-root"><fb:like
    		send="false" layout="button_count" width="400"
    		show_faces="true" font="arial" action="like"
    <div class="gplus-button g-plusone-button"><span class="g-plusone" data-size="medium"
    <a href="https://twitter.com/share"
    		class="twitter-button twitter-share-button"
    			<div class="tumblr-button"><a href="http://www.tumblr.com/share/link?url=http%3A%2F%2Fwww.alizeeart.com%2Fagenda%2F&name=Agenda+2013&description=Agenda+2013+Old+events+has+been+archived+here%3A+++2013+January++2013-01-03++Broadcast+-+Star+Academy+9+Location%3A+20h35+on+NRJ12++Aliz%C3%A9e+will+attend+%28as+a+guest%29+Star+Academy+season+9+show.+She+will+sing+at+least+a+duet+and+possibly+solo+also.+The+broadcast+should+be+live%2C+so+it%27s+filmed+at+the..."
    				title="Share on tumblr"><img border="0"
    <!-- NextGEN Facebook OG Social Buttons END -->

    Btw, any chance you could add the twitter bit inside a div ? Now it’s different from the others and causes trouble when writing CSS. At least to me it would make sense them to be inside same kind of tags.

Viewing 15 replies - 16 through 30 (of 33 total)
  • The topic ‘serious security bug’ is closed to new replies.