Suspicious Plug-in Appears On Login Page When NextGEN Activated

  • Resolved sapiensbryan

    (@sapiensbryan)


    10 years, 9 months ago

    Hi,

    I just discovered a suspicious plug-in appearing at the left bottom corner in a split second on my login page (wp-login.php) when I have NextGEN plugin activated.

    I’m using Google Chrome and have all plug-ins set to “click to play” by default. In other words, all plug-ins such as flash videos, ads, etc, will not run in the web browser until I click them.

    When I visited my WordPress blog’s login page (wp-login.php or /wp-admin/), I saw a square grey box (normally it appears when a plug-in is disabled before I click to play it) appearing at the left bottom corner very quickly (less than 0.5 second) then the grey box disappeared. I don’t have many WordPress plugins running on the blog so I disabled the plugins one by one and found that the suspicious grey box only appears when I have NextGEN Gallery plugin activated.

    I’m wondering is this plug-in generated by NextGEN? And why is there a plug-in running by NextGEN appearing on the WordPress login page?

    Please feel free to ask if you need a video to prove it.

    Thanks.

    https://www.ads-software.com/plugins/nextgen-gallery/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor photocrati

    (@photocrati)

    @sapiensbryan – I won’t dispute you are seeing something on the login page, but there is nothing in NextGEN Gallery that does anything directly to the login page.

    – Cais.

    NetGen does load a JS file called ‘persist.js’ which initiates Flash and causes the artifact you describe when the following Chrome setting is on:

    Settings / Show advanced settings / Privacy / Content Settings / Plug-ins / Click to play

    In Firefox, Click to Play (which I think is default now – note I’m using a Firefox pre-release) causes a similar temporary image in the lower-left corner, along with a drop-down bar at the top asking:

    Allow ... to run "Adobe Flash"?

    The Firefox Click to Play setting is described here: https://security.berkeley.edu/content/how-do-i-enable-click-play-mozilla-firefox?destination=node/431

    It’s especially annoying in Firefox because after any page load in Dashboard, and a slight delay, the screen slides down about 30px to make room for the “Allow” bar. Usually in Dashboard I’m just try to get something done quickly and this one plugin is hassling me by putting the mouse in the wrong place. ?? I have clicked many wrong left-hand menu items due to the slide-down. I could allow Flash for the site permanently, but I’m not sure why it’s even needed.

    Flash only loads on Dashboard, not on the front-end. Admin Bar on the front-end does not load it.

    To check NextGen is really doing this, comment out the following PHP line and re-test:

    Version 2.0.66
    nextgen-gallery/products/photocrati_nextgen/modules/ajax/module.ajax.php line 79:

    wp_enqueue_script('ngg-store-js');

    Here is the offending line it puts in your HTML:

    <script type='text/javascript' src='http.../wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ajax/static/persist.js?ver=3.9.1'></script>

    And here is the beginning of the first line of that script:

    var swfobject=function(){var UNDEF="undefined",OBJECT="object",SHOCKWAVE_FLASH="Shockwave Flash",SHOCKWAVE_FLASH_AX="ShockwaveFlash.ShockwaveFlash",FLASH_MIME_TYPE="application/x-shockwave-flash",EXPRESS_INSTALL_ID="SWFObjec...

    Many plugins load stuff underneath all Dashboard pages, because it’s not so easy to specify. Even plugins that try to get it right forget about DOING_AJAX and DOING_CRON and certain save/redirect cases. (A very weird corner case is plugin activation, which turns any global variable you define into a local.) In order to selectively load your JS you usually need to know what’s going before the HTML header finishes loading.

    I’d suggest NextGen do it though, and eliminate Flash except where needed on specific Dashboard pages. This behavior is confusing and hard to track down. No one wants suspicious activity on a login page.

    Thread Starter sapiensbryan

    (@sapiensbryan)

    Hi Kitchin,

    You got it spot on! Thank you so much!

    I commented out line 79 in nextgen-gallery/products/photocrati_nextgen/modules/ajax/module.ajax.php and the Flash plug-in is not showing up anymore. It’s indeed the Flash plug-in is from this file.

    I totally agree with you that no one wants suspicious activity on a login page, especially it just appears for a split second and you can’t help to wonder what is it doing there.

    Once again, thank you!

    Plugin Contributor photocrati

    (@photocrati)

    @kitchin – Thanks! I’ve never seen this myself so I would never have found the issue.

    @sapiensbryan – I suspect this will not be an issue with your work-around but I cannot say when it will be specifically addressed as using flash is required for some NextGEN Gallery functionality. Please keep this in mind as updates will overwrite your modifications.

    – Cais.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Suspicious Plug-in Appears On Login Page When NextGEN Activated’ is closed to new replies.