Alex Günsche · April 21, 2007
No, not this site, but I myself am moving. From May 1st, I’ll have a beautiful new appartment with a shiny new office. 
Therefore, it can be that I’m a bit hard to reach during the next days and weeks; especially via Internet, as I’m also changing my access provider. But my girfriend will provide a shelter for me and my notebook, so that I will be able to implement my current customers’ projects. However, I’m afraid I won’t be able to provide support for my free projects this next time.
0
Wissenswertes, Zirona-News
Alex Günsche · April 6, 2007
There’s a new version of the InstantUpgrade plugin. Actually, I had big plans and wanted to implement some new features for the upcoming version. But there were some issues which wanted to be addressed in the meantime.
Changes to the previous version:
- From now on, the plugin refuses to work in safe mode. Some people reported errors with certain safe mode configurations, so we better play sure here.
- The Chmod routine, which can be used to reset the file permissions, can now also be run without inclining WordPress (”standalone mode”).
- Languages are now loaded via the init hook, so users of plugins like Polyglot can fully benefit of the translations.
- There is a new translation into Brazilian Potuguese by Neto Cury.
The new version is as always available from the plugin’s page.
3
Software
Alex Günsche · March 22, 2007
The InstantUpgrade plugin has received quite some attention during the last two weeks since its initial release. At the moment, the plugin package has been downloaded about 1100 times. But it has also raised a couple of questions which were asked here at zirona.com or discussed in other places. I want to say a few words and try to summarize the feedback a bit.
In general, the plugin received very positive feedback. Many people wrote me that they were astonished how quick and easy the upgrade was indeed. I have to admit that I myself am surprized how good it seems to work for the vaste majority of users. However, some people did encounter problems, in fact due to certain safe mode configurations. (This is why the plugin’s next version won’t work in safe mode at all.) However, as far as I know, everybody was able to restore his/her WordPress installation, so there was no grave damage so far. (phew…)
For the topic of security
We all know that making files writable by the webserver is potentially dangerous. For InstantUpgrade, you must make very many files writable. There is no way around that, because FTP user (you) and Webserver are different system users on the server in most cases. But that’s ok in this case, because with the first run, all those files will be owned by the webserver and have proper permissions again.
However, the WordPress base folder will remain world writable. This might allow the webserver or other users to create files there — if they come to access this area at all. If you want to avoid this very unlikely possibility under any circumstances, you must not use the InstantUpgrade plugin. However, if you have your .htaccess or your theme/plugin files world writable, or you use plugins that execute inline PHP, don’t you come to me whining about security.
Apart from this, there is — in my opinion — no reason to consider this plugin insecure. But if you believe to have identified another issue, please let me know.
Integration with WordPress
Another thing I’ve read a couple of times are statements like “If it’s so good, why isn’t it in the WordPress core?” or “I hope they will soon integrate this with the WP core.” Although I feel honoured when hearing thes proposals, I’m afraid, they’re a bit unrealistic. The installation of the plugin requires some steps that (a) might ask too much from novice WP users, and (b) can turn out to be impossible on some hosts.
I would however appreciate, if — with time — there could be a better cooperation with the WordPress developers. The InstantUpgrade plugin must be as future proof as possible, and I am afraid that most people won’t upgrade the plugin itself too often. So if there’s a change in WordPress for which the plugin is not laid out, there might be errors during upgrade. Of course I monitor the development of WordPress, so I pretty much get the idea what expects us with new releases, and you can be sure that I will bring out a new version of InstandUpgrade soon enough before the WordPress upgrade.
I have also received some ideas for upcoming versions. Some are things I had considered myself, and had rejected for various reasons. Others are good inspirations for improvements. So if you have an idea what could be a feature of an auto-upgrade plugin, please let me know.
3
Wissenswertes, Meinung, Software
Alex Günsche · March 16, 2007
The boys from Automattic have (finally!) extended the website wp-plugins.org to a standardized plattform for WordPress plugins.This will hopefully make plugin management a lot easier for users and developers.
By the way: Matt says: “[…] having all these plugins isn’t that useful if you’ve got no place to find them”, which is of course a bit misleading, because wp-plugins.net has always done a good job at least for me.
0
Wissenswertes, Software
Alex Günsche · March 11, 2007
InstantUpgrade is a plugin for WordPress, which will perform automatic upgrades of a WordPress installation with a single click. You can upgrade to the latest WordPress version, or you can upgrade to a version of your choice. The plugin downloads the chosen WordPress version, unpacks it, deletes the old files and inserts the new ones. All these actions don’t require funky PHP extensions — they are all handled by the InstantUpgrade plugin.
This plugin might be of special interest for you if you installed WordPress for a friend or a customer with no knowledge of FTP, PHP and MySQL. But of course, everybody else will surely also apprechiate easy and instant upgrades.
Documentation, screenshots and downloads are available at the InstantUpgrade homepage. Feedback is very apprechiated.
31
Software
Alex Günsche · March 8, 2007
There have been many requests for this, and now it happened: The AdvancedSearch plugin has got a little brother called “AdvancedSearch Lite”. This edition is developed for the people who always wanted the fulltext search with boolean operators, but wanted no or just a small search form. Of course, this edition also features multi-color search term highlighting.
“AdvancedSearch Lite” fulfills these requirements: As soon as you upload and activate it, the WordPress search will have a new engine. If you then want to replace the legacy sidebar searchform with a much neater and feature-richer one, you can also do this with very little efforts.
The “AdvancedSearch Lite” plugin also has its own page with downloads and comprehensive documentation. As always, we wish much fun with our work! By the way, translations, bug reports and feedback of any kind are always welcome.
7
Software
Alex Günsche · March 5, 2007
BILDblog.de veröffentlichte vor wenigen Tagen einen Artikel über das von Bild.T-Online betriebene Forum www.meinung-live.de, wo Links und andere Referenzen zu BILDblog.de systematisch zensiert werden.
Ich habe das zum Anlass genommen, mich mal auf diesem Portal umzuschauen. Die Hass- und Lügenmaschine “BILD” kann ich sowieso nicht leiden, und wenn dann noch systematische Zensur geübt wird, dann möchte man doch mal sehen, mit wem man es zu tun hat.
Nun bin ich weder ein pöser Pube, noch würde ich mich als Sicherheitspezialisten bezeichnen — aber mir sind doch schon nach kurzem Umsehen einige grobe Sicherheitslücken ins Auge gefallen, die für Benutzer und Betreiber des Portals fatal werden könnten. Das Forensystem nennt sich Forum 101 und ist von der norddeutschen Internetklitsche worldweb für schlappe 2800 Euro zu erwerben. Dieses Forensystem ist anfällig für mehrere Sicherheitslücken, vorwiegend Cross-Site-Scripting (XSS) in Hülle und Fülle sowie SQL-Injektion.
Für die nicht Fachkundigen: Clientseitiges Cross-Site-Scripting ist eine Angriffstechnik, bei der ein Bösewicht präparierte URLs mit JavaScript (eine vom Browser ausgeführten Programmiersprache) spickt, das dann auf dem Rechner des Opfers ausgeführt wird. Auf diese Weise kann man beispielsweise den Benutzerzugang des Opfers übernehmen. Das System Forum101 lässt XSS-Attacken in vielen Eingabefeldern und den dazugehörigen URL-Parametern zu, d.h. so ziemlich jede Seite des Forums ist für XSS-Attacken anfällig.
Doch damit nicht genug: Das Forensystem ist anfällig für SQL-Injektion. SQL-Injektion wird durch schlampige Programmierung möglich, wenn Benutzereingaben ohne Überprüfung als Parameter für einen Datenbankzugriff verwendet. Dadurch kann man unter Umständen in die Datenbank des Forensystems einbrechen und beliebige Daten lesen/ändern/löschen — beispielsweise Benutzernamen und -passwörter. (Kleiner Tipp an die Forum101-Entwickler: Man sollte LIMIT-Deklarationen nicht ungeprüft aus der URL entnehmen.)
Im Übrigen werden Angriffe gegen Benutzer noch dadurch vereinfacht, dass das Passwort anscheinend im Klartext in der Datenbank liegt, statt es mit einem Hash zu schützen. (Zu sehen ist das daran, dass man das ursprüngliche Passwort bei der “Passwort-Vergessen”-Funktion bekommt, und nicht ein neues.) Somit muss ein Angreifer die Passwörter für die Anmeldung mit einem fremden Zugang noch nicht mal ändern, d.h. ein Zugriff bliebe sogar weitestgehend unbemerkt.
Mit solchen gravierenden Schwachstellen wird das System Forum101 schnell zum “Room 101″ für alle Beteiligten. Um es nochmal zu verdeutlichen: Diese Erkenntnisse sind das Ergebnis einer müßigen Kaffeepause. Nicht auszudenken, was man bei genauerer Untersuchung dieses Gefrickels im Wert einer kompletten Büroausstattung noch so alles finden würde. Bleibt die Frage, warum sich Bild.T-Online für dieses Paket entschieden hat — wo es doch eine ältere Version von phpBB auch getan hätte. Vermutlich ist das hervorstechende Merkmal (oder “Unique Selling Point”, wie der PRler sagt) die ausgeklügelte Zensurfunktion.
Hinweis: Das unbefugte Ausspähen und Manipulieren von EDV-Daten ist — wie wir alle wissen — in Deutschland strafbar. Bei der oben dargestellten Recherche sind keine Daten unbefugt ausgespäht oder manipuliert worden. Dieser Artikel ist nicht als Aufruf zu Straftaten zu verstehen, sondern stellt einzig und allein eine kritische Betrachtung des Forensystems “Forum101″ dar.
6
Wissenswertes, Meinung
Alex Günsche · February 24, 2007
There is a new version of the AdvancedSearch plugin. It fixes some grave bugs with the WordPress 2.1 series:
- Paged searches now work with WP 2.1.x,
- Searching in static pages now also works again,
- A problem with search term highlighting and the o42_cleanumlauts plugin has been fixed (only relevant to German users),
Many thanks to everybody who supported the development with finding and fixing bugs; especially Ryan and Aza.
Furthermore, there is now a Czech translation of the plugin thanks to Martin Štěpán.
The plugin is as always available from its home page. Have fun with the new version and let me know how you like it. Also, please help out with translations, and report bugs as well as improvement ideas!
0
Software
Alex Günsche · January 23, 2007
Tonight, the long expected WordPress 2.1 was released. Unfortunately, the WP-Manage Upgrade module had some problem with the upgrade to 2.1. Therefore, there’s the new version 0.1-alpha2, which fixes the errors. In case you have tried to upgrade with the broken version, simply insert the new version (or only the file upgrade.php) and try again. We apologize for your inconvenience.
5
Software
Alex Günsche · January 20, 2007
WP-Manage is a management extension (not plugin) for WordPress, which will perform backups and upgrades each with a single click.
The Backup routine creates a MySQL dump of the WP tables, gathers all WP files and puts all this stuff into a nice zip file. The Upgrade routine downloads the latest WordPress, unpacks it, deletes the old files and inserts the new ones. All these actions don’t require funky PHP extensions — they are all handled by the WP-Manage package, together with some nice third-party-libs.
The backup and the upgrade routine are independent from each other, and it is to say that the upgrade feature might not be the right thing for every one. But e.g. if you installed WordPress for a friend or a customer with no knowledge of FTP, PHP and MySQL, you might find an ideal solution in this upgrade feature.
Documentation, screenshots and downloads are available at the WP-Manage homepage. Feedback is very apprechiated.
Update: There was an unfortunate error in the file upgrade.php: The latest WordPress was not downloaded from wordpress.org, but from zirona.com (this server). This is because I didn’t want to bomb wordpress.org with requests during the development. Unfortunately I forgot to replace the reference to my server with the original download source, so the WP-Manage version distributed until this evening (GMT) downloads from zirona.com. The error was corrected and the package was uploaded again. You can either download WP-Manage again or you change http://www.zirona.com/download/ to http://wordpress.org/ in upgrade.php l. 290. Sorry for the confusion and thanks to Fabrice Pascal for the hint.
0
Software
