Code Injection Follow Up

I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.

The malicious code is as follows:

if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))
return;

The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.

I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.

  • Personally, I have no idea what links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
  • I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
  • The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
  • If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
  • For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
  • For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it

I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.

1 Star2 Stars3 Stars4 Stars5 Stars (88 votes, average: 3.90 out of 5)

WP-PageNavi Updates

I have to go along with the web trend. My old WP-PageNavi style is outdated and I need to do something about it.

And hence, I modified the style to make it look like Digg (bottom of the page). You also can take a look at the bottom of this page to for an example.

This changes will be in WP-PageNavi 2.11. I have made it in such a way that every aspect of WP-PageNavi is customizable. The text that is displayed can be configured in WP-Admin -> Options -> PageNavi and the style can be configured via CSS in pagenavi-css.css

See the screenshots for more information, WP-PageNavi Screenshots.

1 Star2 Stars3 Stars4 Stars5 Stars (73 votes, average: 3.90 out of 5)

Lester Chan’s WordPress Plugins December 2008 Update

Here is my December 2008 WordPress plugins update containing all my 15 WordPress plugins update and 1 new WordPress plugin. All of them should work on WordPress 2.7 as I did not test them on any WordPress version below that.

I am introducing a new plugin called WP-CommentNavi which basically paginate your comments similar to how WP-PageNavi paginate your posts. I am also retiring WP-Sticky as WordPress 2.7 has a sticky post feature built in. WP-Sticky 2.31 WILL NOT work on WordPress 2.7 due to a conflict function “is_sticky”. If you renamed that function to “is_sticky2” or something else, it should work, but as usual I did not test it.

*UPDATE* Due to the large number of requests, I decided not to retire WP-Sticky and I have updated it to 1.40 and it is now compatible with WordPress 2.7.

Be sure to read the readme.html and checkout the changelog for more information and most importantly NOTE THE TABS AT THE TOP

WP-Ban 1.40
» Readme/Changelog
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-CommentNavi 1.00
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-DBManager 2.40
» Readme/Changelog
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-DownloadManager 1.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-EMail 2.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-PageNavi 2.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-PluginsUsed 1.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-Polls 2.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-PostRatings 1.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-PostViews 1.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-Print 2.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-RelativeDate 1.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-ServerInfo 1.40
» Readme/Changelog
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-Stats 2.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-Sticky 1.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

WP-Useronline 2.40
» Readme/Changelog
» Demo
» Download Mirror #1
» Download Mirror #2
» Support Forum

If you like or love my plugins a lot, do consider making a donation to me. My Paypal email address is lesterchan AT gmail DOT com. Thank you =D

1 Star2 Stars3 Stars4 Stars5 Stars (72 votes, average: 3.90 out of 5)

WordPress 3.5.2

WordPress 3.5.2 has been released and this is a security fix which fixes 12 bugs including the following security issues:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
  • Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
  • Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.

You ae advised to upgrade immediately.

Download: WordPress 3.5.2 or visit Dashboard -> Updates in your site admin to update now.

1 Star2 Stars3 Stars4 Stars5 Stars (58 votes, average: 3.90 out of 5)