Community Support Forums

Re: ws_plugin__s2member_js_w_globals potential security risk

2012-01-15T14:02:51-05:00

Cristián Lávaque wrote:
peterhuk wrote: ws_plugin__s2member_js_w_globals
AND
ws_plugin__s2member_css

If not how do I switch them off using available hooks

You can find the instructions in this page http://www.s2member.com/support/

Here's what it says regarding that:

How can I prevent s2Member Pro from loading it's default CSS?

You can place this into the functions.php file for your WordPress® theme.

Code:
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_css_js::css");

Or, you could remove only specific action Hooks; based on Payment Gateway.

Code:
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_alipay_css_js::alipay_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_authnet_css_js::authnet_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_ccbill_css_js::ccbill_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_clickbank_css_js::clickbank_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_google_css_js::google_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_paypal_css_js::paypal_css");

Thanks! This is very helpful!

Statistics: Posted by Olene — January 15th, 2012, 2:02 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-08-06T17:00:41-05:00

same problem over here

viewtopic.php?f=4&t=14359&p=30041#p30041

Statistics: Posted by s1r0n — August 6th, 2011, 5:00 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-03-07T16:25:16-05:00

Hi clavaque,

Many thanks for your reply. I already read those instructions
and they appear to relate to S2Member Pro. But I am currently
only using S2Member.

In addition do you know what the likely effects would be of
switching them off.

Many thanks in advance.

PeterHuk

Statistics: Posted by peterhuk — March 7th, 2011, 4:25 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-03-07T11:30:29-05:00

peterhuk wrote:
ws_plugin__s2member_js_w_globals
AND
ws_plugin__s2member_css

If not how do I switch them off using available hooks

You can find the instructions in this page http://www.s2member.com/support/

Here's what it says regarding that:

How can I prevent s2Member Pro from loading it's default CSS?

You can place this into the functions.php file for your WordPress® theme.

Code:
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_css_js::css");

Or, you could remove only specific action Hooks; based on Payment Gateway.

Code:
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_alipay_css_js::alipay_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_authnet_css_js::authnet_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_ccbill_css_js::ccbill_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_clickbank_css_js::clickbank_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_google_css_js::google_css"); remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_paypal_css_js::paypal_css");

Statistics: Posted by Cristián Lávaque — March 7th, 2011, 11:30 am

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-03-06T17:37:44-05:00

I use S2Member to manage member’s access to WP backend to
alow them to post their own content. The front end is free for all and
require no restriction.

Do I really need:

ws_plugin__s2member_js_w_globals
AND
ws_plugin__s2member_css

Loaded?

If not how do I switch them off using available hooks

PeterHuk

Statistics: Posted by peterhuk — March 6th, 2011, 5:37 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-03-06T06:13:25-05:00

Just spotted this thread, and I wanted to share these recent improvements.

s2Member v3.5.2+ ( Changelog excerpts )

(s2Member/s2Member Pro). Optimizations. Further internal optimizations applied through configuration checksums that allow s2Member and s2Member Pro to load with even less overhead now.
(s2Member/s2Member Pro). Optimizations. Further internal optimizations applied with Hook priorities that allow s2Member and s2Member Pro to load dynamic CSS/JS files with even less overhead now.
(s2Member/s2Member Pro). WordPress® 3.1. Updated for full compatibility with WordPress® 3.1 ( s2Member also remains compatible with the WordPress® 3.0.x series ).
(s2Member/s2Member Pro). Speed Optimizations. s2Member's entire codebase has been re-organized into PHP classes containing s2Member's static functions ( dev note: all of s2Member's Hooks/Filters remain as they were ). This new infrastructure allows s2Member to take full advantage of PHP's built-in SPL Autoload extension. This means s2Member's source code is loaded ( only on-demand ) as function calls are made within core routines. So instead of loading s2Member's entire codebase into WordPress®; only the objects/methods needed during the processing of particular page will be included. Long story short, this release of s2Member is much faster than previous versions. For advanced site owners, this will make it more feasible to run s2Member in concert many other plugins; even on shared hosting.

Full Changelog here: http://www.primothemes.com/readme/914/#rm-changelog

Statistics: Posted by Jason Caldwell — March 6th, 2011, 6:13 am

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-02-03T18:11:32-05:00

gwc_wd wrote:
I think I can assure you that it is not related to SSL. I only have one site running ssl and detect no meaningful performance difference with or without S2m.

Good to know! One less possible source to track down

gwc_wd wrote:
I would bet a large beer that the Host intentionally interferes with (throttles, query stalls, etc) WP installs that run specific plugins. One host was very direct about the matter. They said that a shared account should have no need for "membership fee functions" and that use of S2M could be interpreted as a violation of their TOS. I don't do business with them anymore of course .

Ah... hmm... by golly... I wonder if that's the same host as I'm using. Do they do commercial with female IndyCar drivers by chance?

gwc_wd wrote:
At this point, I think you should be able to ask for tech assistance from GoDaddy and if they are unable or unwilling to provide any assistance -- most particularly in ruling things out -- then you should change hosts.

Yeah, I'm close to contacting them again - last time they washed their hands by saying that the performance was as expected once you turn off the plugins (which was sort of helpful because it put me on the track of checking the plugins-specific stuff)

gwc_wd wrote:
Just interview potential hosts before you make any move, explicitly asking about throttling and policies that might affect your use of WP and S2M.

gwc_wd wrote:
On related note, by using the WHM tools on my virtual server I was able to determine that LightBox Plus puts a hit on the CPU even on pages where it is not being used. This hit did not show up in Firebug so it was a surprise. When I disabled LightBox Plus it had a very noticeable impact on page loads; albeit at the cost of less sexy full image views.

Again: good to know! Thanks for all the bits and the time you spend replying! I'll see what I can find out - the geek in me is, of course, just intrigued and wants to figure out the exact issue (but the customer-oriented dude in me just needs to get decent performance by go-live date, lol... what am I laughing at? This is getting scary! )
More later!

Statistics: Posted by FrancescoRizzi — February 3rd, 2011, 6:11 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-02-03T16:36:15-05:00

I think I can assure you that it is not related to SSL. I only have one site running ssl and detect no meaningful performance difference with or without S2m.

I would bet a large beer that the Host intentionally interferes with (throttles, query stalls, etc) WP installs that run specific plugins. One host was very direct about the matter. They said that a shared account should have no need for "membership fee functions" and that use of S2M could be interpreted as a violation of their TOS. I don't do business with them anymore of course .

At this point, I think you should be able to ask for tech assistance from GoDaddy and if they are unable or unwilling to provide any assistance -- most particularly in ruling things out -- then you should change hosts. Just interview potential hosts before you make any move, explicitly asking about throttling and policies that might affect your use of WP and S2M.

On related note, by using the WHM tools on my virtual server I was able to determine that LightBox Plus puts a hit on the CPU even on pages where it is not being used. This hit did not show up in Firebug so it was a surprise. When I disabled LightBox Plus it had a very noticeable impact on page loads; albeit at the cost of less sexy full image views.

Statistics: Posted by gwc_wd — February 3rd, 2011, 4:36 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-02-03T15:51:31-05:00

Still experiencing this performance hit.
Even if I go directly to the URL for that file, it takes ~10 secs to be sent to the browser... which is a mystery to me: the file size (~30K) doesn't seem to justify the slow delivery...

I'm tracking the file request to s2m code, and everything seems to check out nicely: the js portion of that file is included via include_once.... I wonder if the problem is that the host is throttling file access for the WP thread - would there be a quick-to-introduce alternative where the file is placed on the server and immediately available for inclusion on the pages, you think?

Statistics: Posted by FrancescoRizzi — February 3rd, 2011, 3:51 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-31T15:11:17-05:00

disabling and re-enabling s2m one more time: now the load time is down to ~5s ... I'm confused (note: yes I am trying to avoiding any browser cache of course)

Statistics: Posted by FrancescoRizzi — January 31st, 2011, 3:11 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-31T15:05:44-05:00

Hey gwc_wd, thanks for your thoughts.
Yes, indeed one of the problems is that the shared host limits CPU time. Definitely that's the source of the 30-second timeout when we encounter it, and it may be that it throttles our usage down, which makes s2m run 'slower' than usual...
And yes: it could be somethign else that makes s2m's js (and css) responses be slow.. but here's what I tried:

using our About page (a single page in WP, with no fancy content):
s2m enabled: ~10 seconds (11s for /?ws_plugin__s2member_css=1&qcABC=1&ver=1.01295432284 and 13s for ws_plugin__s2member_js_w_globals=1&qcABC=1&40ccea69118531334c7d0f76ad6c82f1&ver=1.01295432284)

s2m disabled: ~1s

btw, our site is at http://friendsofnatureparks.org/ (and the about page: http://friendsofnatureparks.org/about/) if anyone wants to peek

Locally I did not get this sort of problem so I'm secretly hoping that this will fizzle into some 'oh you are missing this piece on the live server' which makes s2m take this execution path instead of that'

For instance, we haven't placed the SSL cert on the server yet... could that (or something like that) cause s2m to take a slow turn at some point?

Alternatively, ugly workarounds work ok for us: this will be a low-traffic low-content low-complexity site so (for instance) I might grab the css and include it in our base template (then find out where s2m is grabbing it and disable that line).. but I imagine the js is more difficult to 'eliminate' or fake.

Statistics: Posted by FrancescoRizzi — January 31st, 2011, 3:05 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-31T12:04:31-05:00

FrancescoRizzi wrote:
I'm adding my voice here.
Mostly, because I'm hitting a performance wall when the site (WP 3.0.4) tries to get
/?ws_plugin__s2member_js_w_globals=1&qcABC=1&1ff67861bdce3385c9377c40948d3f04&ver=1.01295432284

which seems to take up to 32 seconds to be delivered (shared hosting on GoDaddy) so, if there's alternatives or possible improvements, I'm all ear

Is it possible that it is not the actual getting of the s2m but what happens as a result. What I'm getting at is that when s2m authenticates then it allows a bunch of other stuff to go ahead and do their thing. Is it possible that processes are starting on the server before new header responses are received in the browser, thus appearing to firebug to be a hold up with the s2m globals rather than other plugin/theme processes?

I've found that moderately complex wordpress installs get into performance problems on shared hosting accounts. They promote "unlimited" everything, but they all impose fractional CPU and memory usage. Some themes, like my favourite Suffusion, in combination with a handful of plugins exhaust the shared hosting restrictions and everything grinds to a hault. But I've not had the problem with just s2m and default theme running without additional plugins.

FTR, I have not used GoDaddy, but have 1and1, serverfly and lunarpages. They all are parsimonious to maintain their low pricing model. Now I've got a virtual server with hostv and it works extremely well.

Statistics: Posted by gwc_wd — January 31st, 2011, 12:04 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-31T11:25:52-05:00

I'm adding my voice here.
Mostly, because I'm hitting a performance wall when the site (WP 3.0.4) tries to get
/?ws_plugin__s2member_js_w_globals=1&qcABC=1&1ff67861bdce3385c9377c40948d3f04&ver=1.01295432284

which seems to take up to 32 seconds to be delivered (shared hosting on GoDaddy) so, if there's alternatives or possible improvements, I'm all ear

Statistics: Posted by FrancescoRizzi — January 31st, 2011, 11:25 am

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-19T14:07:05-05:00

This technique DOES negatively affect S2Member Pro. It removes the special .CSS and .JS files that work with the Pro Forms feature.

For the time being, I've re-enabled the feature but plan to dig in more deeply once I go live.

Statistics: Posted by smitchell360 — January 19th, 2011, 2:07 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-15T15:50:19-05:00

smitchell360 wrote:
I am using Buddypress for extended profiles and do not throttle downloads ... so I plan to disable this by editing line 46 in hooks.inc.php Hopefully the developer will confirm this.

Can you report back whether your edit caused any negative results?

Statistics: Posted by gwc_wd — January 15th, 2011, 3:50 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-13T17:05:01-05:00

Just dug into the code (css-js-w-globals.inc.php and s2member.js). From what I can tell:

I am using Buddypress for extended profiles and do not throttle downloads ... so I plan to disable this by editing line 46 in hooks.inc.php

Hopefully the developer will confirm this.

Statistics: Posted by smitchell360 — January 13th, 2011, 5:05 pm

Re: ws_plugin__s2member_js_w_globals potential security risk

2011-01-13T16:33:41-05:00

+1 on this. I just saw the same thing.

Statistics: Posted by smitchell360 — January 13th, 2011, 4:33 pm

ws_plugin__s2member_js_w_globals potential security risk??

2011-01-08T21:23:53-05:00

After playing around with s2member (non-pro), I noticed that it seems to feed a ws_plugin__s2member_js_w_globals.js file with a huge amount of member/site data that really should not be accessible browser-side. Even without someone being logged in, it still shows some paypal info, along with a bunch of other stuff that seems pretty much unnecessary for most usage cases. Is there any way to completely (or at least mostly) stop this data from being transmitted? I thought I'd try just blocking it altogether from the PHP to see what happens, but felt I should at least bring it up in the forums as well.

Thanks.

Statistics: Posted by apmtrdr — January 8th, 2011, 9:23 pm