Christopher Finke
Forum Replies Created
-
Forum: Plugins
In reply to: [Akismet Anti-spam: Spam Protection] Akismet Settings page blank@bbowers2014: I believe I’ve fixed this for you; there was a misconfiguration in your Akismet.com account.
@William_Syd: Can you contact support@akismet.com with your API key so that I can fix your account as well?
Forum: Plugins
In reply to: [Akismet Anti-spam: Spam Protection] Vulnerability problem?The most likely explanation is that your server is vulnerable, and the specific hack that is targeting it uses Akismet’s plugin directory as its target. Akismet itself doesn’t contain any hacks or known vulnerabilities.
This list is a good starting point for what you should do: https://codex.wordpress.org/FAQ_My_site_was_hacked
But are there any security issues I should be worried about?
Marginally. The .htaccess blocks direct access to the PHP files, because in cases where a WordPress blog was compromised, hackers were putting their malicious payloads in the akismet/ directory (which most blogs have and typically has acceptable permissions for that kind of thing) and then directing unsuspecting users to example.com/wp-content/plugins/akismet/badfile.php The .htaccess rules would prevent access to that file.
Could it be that the .htaccess was conflicting with my apache .conf?
I don’t know that it would be a conflict rather than just an incompatibility with your version of Apache. What version are you running? You could try restoring parts of the .htaccess file to see if a certain part of it breaks those URLs.
Re-uploading couldn’t hurt. It could also be related to the .htaccess file, which is supposed to explicitly grant access to those files. If re-uploading doesn’t help, try removing the .htaccess file.
For anyone interested in responsible security bug disclosure, feel free to use https://hackerone.com/automattic
A 500 error from accessing a JS file is pretty unusual and is probably best addressed by your web host.
Can you contact me privately at finke@automattic.com so I can understand the exploit?
I don’t see how this is exploitable, given that it requires
a) a valid nonce
b) a user able to edit the given comment.Can you post an example of how it could be used in an exploit?
Forum: Plugins
In reply to: [Inline Preview] Broken in WP 3.9 ?Forum: Plugins
In reply to: [Akismet Anti-spam: Spam Protection] Can't submit any comments since 3.1.1Ditto to everything Greg said. What version of WordPress are you running?
That’s not actually Akismet; it’s a hack attempting to masquerade as Akismet in the hopes that fewer people will remove it.
You should take a look at the “My site was hacked” FAQ and follow the directions there: http://codex.wordpress.org/FAQ_My_site_was_hacked Certainly remove all of the code between the
#a08bd5#lines.@alex: I’ve proposed modifying (and renaming) the filter, and in the process, fixing this problem by using a $is_spam argument in addition to the current $form argument. Details here: https://github.com/Automattic/jetpack/pull/1652
@majato: I can’t reproduce with just Akismet and WordPress SEO; what other plugins do you have installed?
@yuzairy: I have confirmed that I can reproduce the error on your site when only Akismet, WordPress SEO, and MemberMouse are active. Debug Bar doesn’t seem to be involved.
I am 99% sure the error is occurring because MemberMouse includes its own version of jQuery UI (which it should not do), and it’s conflicting with the version of jQuery UI that is already included by core. MemberMouse also does some other things (like
var $ = jQuery;inglobal.js) that could already be causing problems or will cause problems eventually. You should contact them about fixing that up.Forum: Plugins
In reply to: [Akismet Anti-spam: Spam Protection] Warning: Illegal string offset 'time'I haven’t been able to reproduce this error; can either of you post a screenshot or write out the steps that it takes to reproduce it?