serious security bug

RMJ,

Let’s not get ahead of ourselves — NGFB ran and picked up code before it could be executed. The code is output from PHP, not input.

All plugins are executed in a certain order, depending on their priority. Most plugins have a priority of “10”, including the NGFB function that adds the meta tags. If you were to change the priority on this line from “10” to perhaps “20” or more, your problem should go away.

add_filter( 'wp_head', 'ngfb_add_meta_tags', 10 );

I will make this change in v2.1.2, and also filter the og:image tag as I do most others (like og:description).

Let me know if the change in priority fixes your issue.

Thanks,

js.

RMJ,

I just uploaded a new version with the change I suggested above, and some additional sanitation of OG values. Give v2.1.2 a try and let me know if that fixes your issue.

Thanks,

js.

Okey, good to know. I thought it might have been something to do in the order the plugins work but didn’t even had time to find out if I could change it.

But I guess by default it might be good then to run this plugin a bit later in the order to avoid such situation.

I will try out the new version today and let you know how it goes in my site.

I updated the plugin and tried the same code as I had before.

The problem now is that it completely igonores the PHP code (or it’s output), resulting in partial url (just the relative path). Because the image path is now incomplete, Facebook won’t fetch the image and throws error:

The meta tag now says:
<meta property="og:image" content="/resources/images/agenda/agenda-20130105-hedbomusiquemag.png">

Whilst the source code (of the first image) later says:
<img src="https://www.MYSITE.com/resources/images/agenda/agenda-20130105-hedbomusiquemag.png" alt="" />

That happens when using my earlier code:
<img src="<?php echo site_url(); ?>/resources/images/agenda/agenda-20130105-hedbomusiquemag.png" alt="" />

Due to relative path inside the meta tag, Facebook is not able to process it. (interestingly enough they won’t try to fetch it from the base domain if relative path is given)

Here is quote from the Facebook (home > tools > debugger) :

Errors That Must Be Fixed
Object Invalid Value: Object at URL ‘https://www.MYSITE.com/agenda/’ of type ‘article’ is invalid because the given value ‘/resources/images/agenda/agenda-20130105-hedbomusiquemag.png’ for property ‘og:image:url’ could not be parsed as type ‘url’.

It actually might work if I weren’t using permalinks. I don’t know if FB is trying to fetch the image from MYSITE.com/agenda/resources/ instead of the real path MYSITE.com/resources/

Either way, the meta tag should include the full path to avoid such a problem.

BTW,
I changed from the plugin source the filter setting from 20 back to 10 and it does not show anymore the PHP code (or anything at all) in the source when running the site. That’s a good thing. Even going all the way to 1 won’t get the PHP code outputted so that surely fixes the security problem. Now the problem is just how to get the PHP parsed and to output the proper url there.

Hm… My guess is the plugin is going to “the_content” to get that img URL, and in your content, you must have some uninterpreted PHP. Since the OG meta tags are created in the_head, I should be able to pass the content through a “the_content” filter… Just to make sure, could you turn on debug mode (check-box near the bottom of the options page) and give me the URL to that webpage? I’ll have a look at the page source to make sure that img URL is really being picked up from the content. I should be able to update the plugin later today.

Thanks,

js.

It’s in debug mode now:

https://www.alizeeart.com/agenda/

The debug information seems to confirm the problem.

Yeah, that’s what I suspected:

image_source = preg_match_all / img src / <?php echo site_url(); ?>/resources/images/agenda/agenda-20130105-hedbomusiquemag.png

As a last resort, NGFB looks in the content for an <img> tag. It found one, but the content has not been rendered enough to complete the URL.

The sanitation code I added to 2.1.2 takes care of stripping the PHP, but that doesn’t fix the issue. ??

Could you test the current development version at https://downloads.www.ads-software.com/plugin/nextgen-facebook.zip? I added an “apply_filters()” function which should fix the problem.

BTW, very nice site design. Clean and attractive.

Thanks,

js.

Thanks for the comment. ??

Anyways, I tried the development version and it’s not a change to good direction. It picks up the “thumblr” image this time.

From the source code:

Debug Array:
	image_source = preg_match_all / img src / https://platform.tumblr.com/v1/share_2.png

Why it doesn’t see the same image as before ? (nothing has changed on my page) Also a bit strange that it picks up a image generated by the script itself.

Ah. Yeah, that makes sense — it grabs the first <img> it finds.

It picks up an image from the button because it runs apply_filters(‘the_content’) on the text, and the social buttons are part of the_content.

Easy fix. Give me 5 mins. ??

js.

Alright, give the development version another go:

https://downloads.www.ads-software.com/plugin/nextgen-facebook.zip

??

Thanks,

js.

Okey great, I’ll be waiting for the next version.

I found the offending line in the code but as I don’t know the sytem well enough, don’t even know where to start fixing it. So better wait for your fix. ??

Well, I got now the new version up and running and looks like it fixes the problem. ??

Debug Array:
	image_source = preg_match_all / img src / https://www.alizeeart.com/resources/images/agenda/agenda-20130105-hedbomusiquemag.png
-->

Thanks a lot. I will fool around to see if everything works.

edit:
It passes through FB debugger just fine too.

Excellent – glad I could help.

js.

Mmm…

All the other pages containing PHP (in the page content) are now dead. No content is generated for them. (including main page)

It happens with both development versions, so it must be related to your first try to fix it.

I changed back to the official 2.1.2 release and it works (with wrong image of course).

simple script like <?php echo "test" ?> works just fine but if I have more complex it breaks the page.