Important : Security Updates with WordPress 4.8.2

Important : Security Updates with WordPress 4.8.2

I am writing this post right after updating my wordpress websites and websites that I monitor or host.

There has been an important security updates that have been released yesterday. Update your wordpress installations as soon as possible to avoid issues.

Following security issues have been fixed:

  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery.
  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor.
  4. A path traversal vulnerability was discovered in the file unzipping code
  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor.
  6. An open redirect was discovered on the user and term edit screens.
  7. A path traversal vulnerability was discovered in the customizer.
  8. A cross-site scripting (XSS) vulnerability was discovered in template names.
  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal.

You can find more information in release notes for 4.8.2 or find list of changes here.

Source: WordPress Blog

OsCommerce – SMTP with authentication

OsCommerce – SMTP with authentication

Oscommerce SMTP Authentication with email format, this was the request from one of our clients. Yesterday, I were working on a project with older version of OsCommerce ( I know it is not great solution, but client is already using it for long time and don’t want to change)

The current installation had ‘sendmail’ configured that never worked as it was disabled at server level, oops 🙁

Instead of directly implementing anything, I found this add-on:  “smtp through the authentication smtp server

After installation, I was happy that it worked and I was able to set the smtp details but then starts the pain. All emails were being sent through SMTP, Great, but without formatting. Ok, I thought it could be email format issue. Set it to ‘text’ format, still same. Ok, set it as HTML, still same.

Now, it was time to look into the issue. After sometime of digging, I found an issue in email.php (includes/classes)

I commented few lines and added few in function send:

oscommerce-smtp

WOW, this fixed the problem of emails sent from store front, so same implementation was done in email.php in admin/includes/classes folder.

So Why, I am posting this simple fix; For the benefit of others. I tried to find some place at add-on download page but no place for comment or raise issue hence added it here.

The idea is simple, pay back to community whenever possible. My 2cents of contribution

Code as text:
/*if($body){
$message->setBody($body, 'text/html', CHARSET);
}
if($this->text){
$message->setBody($this->text, 'text/plain', CHARSET);
}
else{
$message->setBody($this->html_text, 'text/html', CHARSET);
} */
if(EMAIL_USE_HTML && $body){
$message->setBody($body, 'text/html', CHARSET);
}elseif( !EMAIL_USE_HTML && $body){
$message->setBody($body, 'text/plain', CHARSET);
}else{
$message->setBody($this->html_text, 'text/html', CHARSET);
}