PHP

WordPress

How to prevent CSRF vulnerability in WordPress plugins and themes

Recently the folks at Secunia contacted me regarding a vulnerability in my plugin Contextual Related Posts.

Contextual Related Posts is a powerful plugin for WordPress that allows you to display a list of related posts on your website and in your feed. The plugin comes with a tonne of options and inbuilt caching that can possibly increase user retention.

This vulnerability was on the settings page of the plugin and opened up the blog to a potential cross site request forgery (CSRF)

The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to change plugin settings and e.g. insert malicious script to pages or posts when a logged-in administrator visits a specially crafted web page.

Since then, I’ve been scouring the web for material on this and you might also want to take a look this article on crunchify for a solution. In this post, I’ll tell you what I did to fix the vulnerability. But first, let’s understand what’s CSRF.

Read More »How to prevent CSRF vulnerability in WordPress plugins and themes

Advertisements

Dynamic JavaScript with PHP

Early this morning, I released Top 10 – A Page Counter and Popular Posts plugin for WordPress. I detailed my experience while designing this plugin. The major problem that I faced while working with this plugin was with WP Super Cache. WP Super Cache creates a static file of your post and displays this to the viewer. As a result, any PHP code that is present in your WordPress blog template is executed only once and the cached file is then served to your visitor.

The initial version of Top 10 used PHP to record the page views as well as display them and so using WP Super Cache ensured that both of these would never increment.

This is where JavaScript with PHP comes in. I ended up using AJAX to record the page views. However, for displaying the count I chose to do so by serving the PHP file as a JavaScript file.

Here’s how you go about it.

Read More »Dynamic JavaScript with PHP

PHP-Nuke Vulnerability

The Neo Security Team reports a new vulnerability in PHP-Nuke for all versions of 7.9 and below. This was discovered by Paisterist.

Collecting Articles on mod_rewrite

This is something that I am longing to learn throughly. I know just basic enough to get work done, but there are such a lot of things that you can do with it, that I have decided to dedicate a post collecting resources to the same! Apache module mod_rewrite mod_rewrite – Apache HTTP Server mod_rewrite: A Beginner’s Guide to URL Rewriting mod_rewrite, a beginner’s guide (with examples) Results from Google mod_rewrite Cheat Sheet Apache mod_rewrite tweaks URL Rewriting Well there are a lot more resources.

PHP Easter Egg…!

Found this at Distant-Help Forums. Add ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 after any url that works in PHP.