WordPress Nonces Vulnerabilities

Quick Page/Post Redirect Plugin: A Case Study

Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk.

Quick Page/Post Redirect WordPress Plugin Vulnerability

And why? All because the developer thinks a 5-byte WordPress Nonce will stop the bulk redirect import functionality from running. Newsflash: It won’t

Continue reading

Dynamic Python Mixins

I was pretty surprised to find out how straightforward it is to create mixin factories and templates in Python. I had a bunch of classes with attributes that needed special getter and setter methods with JSON serialization logic inside of them.

class Model:
    parameter = None

    def get_parameter(self):
        return json.loads(self.parameter)

    def set_parameter(self, value)
        return self.parameter = json.dumps(value)

With several such classes, each containing different amount of attributes that need JSON setters and getters I was aiming to keep it DRY with mixins, but since the number of attributes and their names differ between classes, I’d need a template mixin, a mixin factory that generates mixins dyanmically.

Continue reading

Lighthouse – WordPress Performance Plugin Review

Like many rants, this one starts with a promise. One made by the developers of Lighthouse on their marketing page:

…optimize MySQL tables by removing all unused table space (both MyISAM and InnoDB)…

Lighthouse WordPress

All unused table space for InnoDB via a PHP plugin? Suspicious, I got my hands on a copy of the plugin to see how it accomplishes this claimed feat. Well, obviously it didn’t reclaim all InnoDB tablespace, just some of it using the OPTIMIZE TABLE method (only effective when innodb_file_per_table is set to “on” which is enabled by default in MySQL 5.6.6 and higher). The ibdata file remained untouched.

Okay, no problem, not unexpected. But then I read into some of the other code and a second, much more substantial promise:

A zero-footprint tuning plugin…

…I became pretty angry. I’ve always been a skeptic of magic optimization plugins, and Lighthouse was unfortunate enough to get my review.

Continue reading

Remove Duplicate WordPress Category Pages

A rather peculiar problem has come my attention yesterday. WordPress has an infinite amount of category pages that are absolutely identical. For example:

This happens for all hierarchical taxonomies, and here is why. Basically, WordPress only queries the last term in the path.

Continue reading

WordPress Dashboard Autobookmarks

Here’s something I put together as a conceptual idea. WordPress Dashboard Autobookmarks keeps track of how popular a dashboard page is by counting how many times it’s been visited by an administrator and provides an Admin Bar menu with the most often used dashboard screens. This allows administrators to keep returning to their most-used dashboard screens at click of a button.

WordPress Dashboard Autobookmarks

The plugin can be found on GitHub and is at a highly experimental stage for now.

The FancyBox for WordPress Vulnerability

…and how the exploit really worked

Last week a very popular plugin called FancyBox for WordPress was hit with a zero-day vulnerability which I happened to experience first-hand and dig into. If you’ve not heard about this here are a couple of links to get you up to speed:

The plugin was force-updated (where possible) on WordPress sites out there. This is the full disclosure of how the exploit worked.

Continue reading

rwasa + HHVM + WordPress

Yes, as exotic as it ever gets.

Continue reading

Advertisement Proposal Scam

So a couple of nights ago I got a weird e-mail from “Diana” at dianabem501@gmail.com. It said:

I have visit your blog https://codeseekah.com/
I can pay you $200 per month. Contact me for more info.

Intrigued, decided to respond and see where this scam went. I replied “What for?”…

Continue reading

Custom Munin Graphs

Munin graphs are often too ugly to show off on public-facing pages, and while the control panel is usually enough to get bare information from graphs, customizing these to become interactive and fancy may prove to be quite a task.

Munin Google Charts

I’m going to use Google Charts to output the number of requests per second my server is processing (the data is a snapshot and does not change in this case). Fortunately, all data collected by the Munin master is stored in RRD format and can be retrieved simply by using the rrdtool fetch command, or by using the PHP RRD library if you’re using PHP, or python-rrdtool if you’re using Python.

Continue reading

Rust’s os::args() to C’s *argv[]

I’ve been hooked on Rust lately, trying to wrap my head around the whole borrowing, lifetimes and boxes parade. What’s tough with young Rust is that most sample code out there is outdated, answers to questions no longer correct, documentation leaves a lot to be desired.

I decided to learn a bit of Rust by writing a FUSE, using the libfuse shared library (yes, I know there’s a Rust implementation here). So I’m looking at FFI to get me started and writing the main libfuse signature.

fn fuse_main_real(argc: c_int, argv: *const *const c_char, op: *const fuse_operations, op_size: size_t, user_data: *const c_void) -> c_int;

The huge challenge I found myself with was trying to convert os::args to *const *const c_char. All the code out there seems to be outdated, nothing worked for me. I was getting lifetime errors, borrowing errors and even move errors for hours on end. And when there were no borrowing errors I was slapped on the face with segmentation faults.

After a lot of thinking, reading the basics several times, I managed to convert the command line arguments given to my Rust program into the needed pointer to a pointer of chars. Here’s how it looks:

let argv:Vec<ffi::CString> = os::args_as_bytes().into_iter().map(|arg| { ffi::CString::from_vec(arg) } ).collect();
let args:Vec<*const c_char> = argv.into_iter().map(|arg| { arg.as_ptr() } ).collect();
fuse_main_real(args.len() as c_int, args.as_ptr() as *const *const c_char, .... );

Let’s go through this step by step. First we grab a Vec<Vec<u8>> from os::args_as_bytes, iterate and collect a Vec of null-terminated ffi::CStrings. Next, iterate over each CString and collect a pointer to the char array it’s being backed by. The rest is easy.

Why two variables? I found that chaining ffi::CString::from_vec(arg).as_ptr() would not work because once the pointers have been collected the created CString is freed once the map is done. So we need to keep the CStrings around in order to the pointers to be available for use.

A seemingly trivial task turned out to be quite difficult to get to. I’ve probably done it incorrectly either way 😀 it must be, since it’s a highly inefficient solution (looked at the emitted assembly and those two calls are awfully large).

Still a lot to learn about this ever-evolving, unstable but fun language. By the way, I used rustc 1.0.0-dev for the above.