Additional Tags Plugin

Hello im looking at your “Additional Tags” plugin, are there any security risks having this on your wordpress mu site where anyone can sign up?

  • Damon Cook
    • Flash Drive

    I’m very interested in any results from testing. I’m not certain, but we have our entire htdocs hacked and we think the culprit injected iFrame in WPMU comment. The only way that would be possible is if this plugin also enables the comment field to be unfiltered as well. Is this true? I’m still not clear from this thread whether this plugin is secure or not? Please advise?

  • Andrew
    • Champion of Loops

    Hi Guys,

    I’m still not clear from this thread whether this plugin is secure or not?

    The plugin can be as secure or insecure as you want really. It all depends on how you modify it.

    If you want to limit the additional tags to posts only then comment out this line at the top of the plugin file:

    add_filter(‘edit_allowedtags’, ‘additional_tags’:wink:;

    Thanks,

    Andrew

  • Aaron
    • Ex Staff

    I’m also curious on your logic of allowing JavaScript and iframes. Unless you know something I don’t, it seems really scary to me.

    Most users here will just enable the plugin without knowing the risks, so I think it is owed a little more discussion, and possibly a LARGE warning on the download page.

    Anyone have any comments? I can think of some very bad things I could do on a site enabling those tags.

    This is very important to me as my site will have some very strong security concerns.

  • Ovidiu
    • Code Wrangler

    have to agree with Aaron on this one. saying

    as long as you patch security holes when they’re discovered WPMU is quite secure

    isn ‘t quite saying much, sounds more like encouragement to me… and I don’t really think this is about wpmu being secure but about the underlying framework and the code it supports…

  • Damon Cook
    • Flash Drive

    Andrew: The plugin can be as secure or insecure as you want really. It all depends on how you modify it.

    Perhaps the plugin’s page should have a little more warning then, because I just dropped it in my site. I briefly remember looking at it’s code, but that was it. I will now proceed with much hesitation though.

    as long as you patch security holes when they’re discovered WPMU is quite secure

    Perhaps I’m not as advanced a developer, or I’m missing something in this statement, but isn’t there a certain amount of security built into WPMU? Therefore, isn’t there a certain amount of trust one must have in its inherent security? Or should I just test all WPMU’s code for security holes, and if so, how?

  • Aaron
    • Ex Staff

    WPMU is quite secure, but the whole point of this plugin is to disable WPMUs security.

    So what does edublogs know that wordpress does not security wise? And that is an honest question as I would love to have this convenience for my users, but have very serious security concerns.

  • Andrew
    • Champion of Loops

    Hi Guys,

    As I mentioned above, I’m not going to be commenting on Edublogs.

    Obviously you’re more than welcome to discuss this among yourselves (I encourage it actually) but we won’t be providing insight from Edublogs on this particular subject. Thanks for understanding and please do carry on with the conversation!

    Thanks,

    Andrew

  • Ovidiu
    • Code Wrangler

    what I am actually trying to get to display is this code:

    <OBJECT ID="MediaPlayer" WIDTH=385 HEIGHT=50
    CLASSID="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
    STANDBY="Loading Windows Media Player components..."
    TYPE="application/x-oleobject">

    <PARAM NAME="FileName" VALUE="http://80.86.106.136:8100" valuetype="ref" ref>
    <param name="AudioStream" value="1">
    <param name="AutoSize" value="0">
    <param name="AutoStart" value="1">
    <param name="AnimationAtStart" value="0">
    <param name="AllowScan" value="-1">
    <param name="AllowChangeDisplaySize" value="-1">
    <param name="AutoRewind" value="0">
    <param name="Balance" value="0">
    <param name="BaseURL" value>
    <param name="BufferingTime" value="5">
    <param name="CaptioningID" value>
    <param name="ClickToPlay" value="-1">
    <param name="CursorType" value="0">
    <param name="CurrentPosition" value="-1">
    <param name="CurrentMarker" value="0">
    <param name="DefaultFrame" value>
    <param name="DisplayBackColor" value="0">
    <param name="DisplayForeColor" value="16777215">
    <param name="DisplayMode" value="1">
    <param name="DisplaySize" value="1">
    <param name="Enabled" value="-1">
    <param name="EnableContextMenu" value="-1">
    <param name="EnablePositionControls" value="-1">
    <param name="EnableFullScreenControls" value="-1">
    <param name="EnableTracker" value="-1">
    <param name="InvokeURLs" value="-1">
    <param name="Language" value="-1">
    <param name="Mute" value="0">
    <param name="PlayCount" value="0">
    <param name="PreviewMode" value="0">
    <param name="Rate" value="1">
    <param name="SAMILang" value>
    <param name="SAMIStyle" value>
    <param name="SAMIFileName" value>
    <param name="SelectionStart" value="-1">
    <param name="SelectionEnd" value="-1">
    <param name="SendOpenStateChangeEvents" value="-1">
    <param name="SendWarningEvents" value="-1">
    <param name="SendErrorEvents" value="-1">
    <param name="SendKeyboardEvents" value="0">
    <param name="SendMouseClickEvents" value="0">
    <param name="SendMouseMoveEvents" value="0">
    <param name="SendPlayStateChangeEvents" value="-1">
    <param name="ShowCaptioning" value="0">
    <param name="ShowControls" value="-1">
    <param name="ShowAudioControls" value="-1">
    <param name="ShowDisplay" value="0">
    <param name="ShowGotoBar" value="0">
    <param name="ShowPositionControls" value="0">
    <param name="ShowStatusBar" value="-1">
    <param name="ShowTracker" value="-1">
    <param name="TransparentAtStart" value="0">
    <param name="VideoBorderWidth" value="0">
    <param name="VideoBorderColor" value="333333">
    <param name="VideoBorder3D" value="-1">
    <param name="Volume" value="-1">
    <param name="WindowlessVideo" value="-1">
    <EMBED TYPE="application/x-mplayer2" SRC="http://80.86.106.136:8100"
    NAME="MediaPlayer"
    WIDTH=320
    HEIGHT=45>
    </EMBED></OBJECT>

    but even wit hthe additional tags plugin I am failing. does it work for anyone there, can you give it a quick try please?

  • georgef
    • The Incredible Code Injector

    Is there a way to allow javascript and iframes on particular pages of your site only?

    I have a viralinviter script that I purchased and it requires javascript on the front page and iframes on another for positioning.

    Can I get around this?

    George

  • Andrew
    • Champion of Loops

    Hi Guys,

    even wit hthe additional tags plugin I am failing. does it work for anyone there, can you give it a quick try please?

    Embeds are a tricky thing. I think some people have managed to allow the right tags for them to work though.

    Is there a way to allow javascript and iframes on particular pages of your site only?

    I would just hack the unfiltered mu plugin so it only runs on the main blog.

    Thanks,

    Andrew

  • georgef
    • The Incredible Code Injector

    Is there a way to allow javascript and iframes on particular pages of your site only?

    Ok thanks. I have the additional tags plugin installed at the moment, but the scripts still dont seem to work.

    Other than hacking the plugin to work on the main blog, is there anything else that I would need to do?

    Thanks,

    George

  • wpcdn
    • Syntax Hero

    Our worry is that, with or without this plugin or unfiltered-mu, many themes’ settings contain fields that can have JavaScript inserted. So, even with JavaScript filtered in posts and such, it can still slip through in so many places.

    We’re debating whether to just allow it anyway, at least on one hosting product that’s all paid (no free level other than possibly a free trial). Hopefully the latest mod_security and other techniques will catch any malicious code.

    Mark

  • drmike
    • DEV MAN’s Mascot

    Two friendly notes:

    – Edublogs removed this from the general usage a few months back due to spammers going nuts with it. It’s now for paid user use only.

    – Test and double check stuff. I politely remind folks of that kb-robots.txt plugins a few years back that didn’t filter any input from the user.

    wpcdn, I don’t know if you want to consider this but we added in the use of the html purifier. You may want to consider that.

    A link to a post on wp-hackers in the middle of a thread on the subject: http://lists.automattic.com/pipermail/wp-hackers/2007-February/010664.html

    Has a quick plugin as well there.

    A real plugin although it;s labeled only for comments: http://wordpress.org/extend/plugins/html-purified/

    Hope this helps,

    -drmike