Community Support Forums

— WordPress® ( Users Helping Users ) —
http://www.primothemes.com/forums/

exploit errors reported

http://www.primothemes.com/forums/viewtopic.php?f=4&t=15755

Page 1 of 1

exploit errors reported

PostPosted: November 2nd, 2011, 1:53 pm
by togethernet
Hi

I thought I would install and run the plug-in Wordpress Exploit Scanner (http://ocaoimh.ie/exploit-scanner/)

It throws a lot of errors from the s2Member plug-in with respect to use of the eval function.

Put my mind at rest?

Re: exploit errors reported

PostPosted: November 2nd, 2011, 11:33 pm
by Cristián Lávaque
eval has its valid uses. The WordPress team reviews plugins posted there and wouldn't have let s2Member remain there if it were a threat. :)

I'm emailing Jason in case he wants to comment on this.

Re: exploit errors reported

PostPosted: November 3rd, 2011, 2:54 pm
by Jason Caldwell
Thanks for the heads up on this thread.
togethernet wrote:Hi

I thought I would install and run the plug-in Wordpress Exploit Scanner (http://ocaoimh.ie/exploit-scanner/)

It throws a lot of errors from the s2Member plug-in with respect to use of the eval function.

Put my mind at rest?
I can appreciate your concern. Yes, eval() does have valid uses.

s2Member's use of the eval() function allows site owners, and ONLY site owners to incorporate PHP code of their own into some of s2Member's configuration panels. For instance, see: s2Member -> General Options -> Login/Registration Design -> Footer HTML/PHP Code.

SNAG-0107.png
SNAG-0107.png (13.38 KiB) Viewed 53 times

So, while the use of eval() CAN certainly introduce security issues, s2Member's use of eval() is limited to only those areas which process code introduced by the site owner, or by s2Member itself. s2Member will NOT eval() untrusted data ( i.e. data introduced by a user/browser/cookie/query string/etc ). I'm not aware of s2Member having any security issues in this regard, with respect to the eval() function.

On a Multisite Blog Farm installation, the use of eval() can be disabled completely, since you would have site owners with child Blogs on your Network. In cases such as those, the additional documentation that comes with a Multisite Network Support Package allows Network adminstrators to disable the use of eval() in areas of s2Member that allow site owners to introduce PHP code of their own.

That being said, I do NOT recommend disabling eval() in s2Member on a standard WordPress installation, or even on a typical Multisite Network installation. The only time that would be practical, is if you were running a "Blog Farm", where you would have untrusted site owners.

Definition of a Multisite Blog Farm:
If your Network is making it possible for "Members" of your Main Site, to create and/or manage Blogs (in any way), s2Member will consider your installation to be a Multisite Blog Farm. That being said, some site owners run a Multisite Network for the purpose of maintaining their own sites. The term Multisite Blog Farm does NOT apply to a Network that hosts multiple Child Blogs, all of which are operated by a single site owner and/or a single company. Again, a Multisite Blog Farm ( in the eyes of s2Member ), is any Network that is making it possible for "Members" of its Main Site, to create and/or manage Blogs; where one or more of these Child Blogs is being administered by a Customer ( e.g. if you offer both Membership and Blog creation ).
All times are UTC - 5 hours
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/