Open tychay opened 9 years ago
Good point. Honestly I haven't worked on this plugin for a while now and am no longer actively maintaining it. Feel free to raise a PR or supersede it with your own plugin.
Thanks, but my plugin has a completely different purpose (more a flickr remote media library instead of a flickr embed), so it won't supersede this one. :-(
Most Flickr plugins there are old style (manual creation of key/secret instead of oAuth) and I was curious how you implemented it which is why I used this one as a model. It's too bad, because if I wasn't writing from scratch, I could make have supplied you with pull requests you could have just merged. :-(
I'm writing my own plugin and I've been referencing your code.
When going through it, I noticed that the code makes an ajax request to the site home_url with the payload of any flickr request to sign as long as the
$_GET
string contains a payload in__wpfe_sign
.The problem is the request is not authorized in any way or protected with any shared secret from the user (for instance, through creating a nonce and using
check_ajax_referer()
). Because of this, an attacker can have any blog with this plugin installed sign a Flickr API request as them and then make a call to flickr.Right now, this exposes people's private flickr account. I recommend you generate a nonce and then send that payload along with the ajax request. Then add a verify in the code that handles the
__wpfe_sign
as being the easiest solution.(The one I did btw was use the ajax services built into WordPress, but the refactoring changes to support that would be a bit more complicated at this point for your plugin.)