PriMoThemes — now s2Member® (official notice)

This is now a very OLD forum system. It's in READ-ONLY mode.
All community interaction now occurs at WP Sharks™. See: new forums @ WP Sharks™

ws_plugin__s2member_js_w_globals potential security risk??

s2Member Plugin. A Membership plugin for WordPress®.

ws_plugin__s2member_js_w_globals potential security risk??

Postby apmtrdr » January 8th, 2011, 9:23 pm

After playing around with s2member (non-pro), I noticed that it seems to feed a ws_plugin__s2member_js_w_globals.js file with a huge amount of member/site data that really should not be accessible browser-side. Even without someone being logged in, it still shows some paypal info, along with a bunch of other stuff that seems pretty much unnecessary for most usage cases. Is there any way to completely (or at least mostly) stop this data from being transmitted? I thought I'd try just blocking it altogether from the PHP to see what happens, but felt I should at least bring it up in the forums as well.

Thanks.
User avatar
apmtrdr
Registered User
Registered User
 
Posts: 1
Joined: January 8, 2011

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby smitchell360 » January 13th, 2011, 4:33 pm

+1 on this. I just saw the same thing.
User avatar
smitchell360
Experienced User
Experienced User
 
Posts: 28
Joined: January 4, 2011

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby smitchell360 » January 13th, 2011, 5:05 pm

Just dug into the code (css-js-w-globals.inc.php and s2member.js). From what I can tell:

    1. the script tag includes both s2m globals (dynamically constructed through some really clever code) and s2member.js which provides some functionality
    2. the globals are only needed in the event that you are writing javascript
    3. HOWEVER, s2member.js DOES use a few of these globals to throttle downloads
    4. The rest of s2member.js seems to format extended fields in the user profile if you set them up in S2
I am using Buddypress for extended profiles and do not throttle downloads ... so I plan to disable this by editing line 46 in hooks.inc.php

Hopefully the developer will confirm this.
User avatar
smitchell360
Experienced User
Experienced User
 
Posts: 28
Joined: January 4, 2011

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby gwc_wd » January 15th, 2011, 3:50 pm

smitchell360 wrote:I am using Buddypress for extended profiles and do not throttle downloads ... so I plan to disable this by editing line 46 in hooks.inc.php Hopefully the developer will confirm this.


Can you report back whether your edit caused any negative results?
User avatar
gwc_wd
Registered User
Registered User
 
Posts: 18
Joined: June 27, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby smitchell360 » January 19th, 2011, 2:07 pm

This technique DOES negatively affect S2Member Pro. It removes the special .CSS and .JS files that work with the Pro Forms feature.

For the time being, I've re-enabled the feature but plan to dig in more deeply once I go live.
User avatar
smitchell360
Experienced User
Experienced User
 
Posts: 28
Joined: January 4, 2011

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby FrancescoRizzi » January 31st, 2011, 11:25 am

I'm adding my voice here.
Mostly, because I'm hitting a performance wall when the site (WP 3.0.4) tries to get
/?ws_plugin__s2member_js_w_globals=1&qcABC=1&1ff67861bdce3385c9377c40948d3f04&ver=1.01295432284

which seems to take up to 32 seconds to be delivered (shared hosting on GoDaddy) so, if there's alternatives or possible improvements, I'm all ear :)
User avatar
FrancescoRizzi
Registered User
Registered User
 
Posts: 21
Joined: December 2, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby gwc_wd » January 31st, 2011, 12:04 pm

FrancescoRizzi wrote:I'm adding my voice here.
Mostly, because I'm hitting a performance wall when the site (WP 3.0.4) tries to get
/?ws_plugin__s2member_js_w_globals=1&qcABC=1&1ff67861bdce3385c9377c40948d3f04&ver=1.01295432284

which seems to take up to 32 seconds to be delivered (shared hosting on GoDaddy) so, if there's alternatives or possible improvements, I'm all ear :)


Is it possible that it is not the actual getting of the s2m but what happens as a result. What I'm getting at is that when s2m authenticates then it allows a bunch of other stuff to go ahead and do their thing. Is it possible that processes are starting on the server before new header responses are received in the browser, thus appearing to firebug to be a hold up with the s2m globals rather than other plugin/theme processes?

I've found that moderately complex wordpress installs get into performance problems on shared hosting accounts. They promote "unlimited" everything, but they all impose fractional CPU and memory usage. Some themes, like my favourite Suffusion, in combination with a handful of plugins exhaust the shared hosting restrictions and everything grinds to a hault. But I've not had the problem with just s2m and default theme running without additional plugins.

FTR, I have not used GoDaddy, but have 1and1, serverfly and lunarpages. They all are parsimonious to maintain their low pricing model. Now I've got a virtual server with hostv and it works extremely well.
User avatar
gwc_wd
Registered User
Registered User
 
Posts: 18
Joined: June 27, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby FrancescoRizzi » January 31st, 2011, 3:05 pm

Hey gwc_wd, thanks for your thoughts.
Yes, indeed one of the problems is that the shared host limits CPU time. Definitely that's the source of the 30-second timeout when we encounter it, and it may be that it throttles our usage down, which makes s2m run 'slower' than usual...
And yes: it could be somethign else that makes s2m's js (and css) responses be slow.. but here's what I tried:

using our About page (a single page in WP, with no fancy content):
s2m enabled: ~10 seconds (11s for /?ws_plugin__s2member_css=1&qcABC=1&ver=1.01295432284 and 13s for ws_plugin__s2member_js_w_globals=1&qcABC=1&40ccea69118531334c7d0f76ad6c82f1&ver=1.01295432284)

s2m disabled: ~1s

btw, our site is at http://friendsofnatureparks.org/ (and the about page: http://friendsofnatureparks.org/about/) if anyone wants to peek ;)

Locally I did not get this sort of problem so I'm secretly hoping that this will fizzle into some 'oh you are missing this piece on the live server' which makes s2m take this execution path instead of that'

For instance, we haven't placed the SSL cert on the server yet... could that (or something like that) cause s2m to take a slow turn at some point?

Alternatively, ugly workarounds work ok for us: this will be a low-traffic low-content low-complexity site so (for instance) I might grab the css and include it in our base template (then find out where s2m is grabbing it and disable that line).. but I imagine the js is more difficult to 'eliminate' or fake.
User avatar
FrancescoRizzi
Registered User
Registered User
 
Posts: 21
Joined: December 2, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby FrancescoRizzi » January 31st, 2011, 3:11 pm

disabling and re-enabling s2m one more time: now the load time is down to ~5s ... I'm confused (note: yes I am trying to avoiding any browser cache of course)
User avatar
FrancescoRizzi
Registered User
Registered User
 
Posts: 21
Joined: December 2, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby FrancescoRizzi » February 3rd, 2011, 3:51 pm

Still experiencing this performance hit.
Even if I go directly to the URL for that file, it takes ~10 secs to be sent to the browser... which is a mystery to me: the file size (~30K) doesn't seem to justify the slow delivery...

I'm tracking the file request to s2m code, and everything seems to check out nicely: the js portion of that file is included via include_once.... I wonder if the problem is that the host is throttling file access for the WP thread - would there be a quick-to-introduce alternative where the file is placed on the server and immediately available for inclusion on the pages, you think?
User avatar
FrancescoRizzi
Registered User
Registered User
 
Posts: 21
Joined: December 2, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby gwc_wd » February 3rd, 2011, 4:36 pm

I think I can assure you that it is not related to SSL. I only have one site running ssl and detect no meaningful performance difference with or without S2m.

I would bet a large beer that the Host intentionally interferes with (throttles, query stalls, etc) WP installs that run specific plugins. One host was very direct about the matter. They said that a shared account should have no need for "membership fee functions" and that use of S2M could be interpreted as a violation of their TOS. I don't do business with them anymore of course <smile>.

At this point, I think you should be able to ask for tech assistance from GoDaddy and if they are unable or unwilling to provide any assistance -- most particularly in ruling things out -- then you should change hosts. Just interview potential hosts before you make any move, explicitly asking about throttling and policies that might affect your use of WP and S2M.

On related note, by using the WHM tools on my virtual server I was able to determine that LightBox Plus puts a hit on the CPU even on pages where it is not being used. This hit did not show up in Firebug so it was a surprise. When I disabled LightBox Plus it had a very noticeable impact on page loads; albeit at the cost of less sexy full image views.
User avatar
gwc_wd
Registered User
Registered User
 
Posts: 18
Joined: June 27, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby FrancescoRizzi » February 3rd, 2011, 6:11 pm

gwc_wd wrote:I think I can assure you that it is not related to SSL. I only have one site running ssl and detect no meaningful performance difference with or without S2m.


Good to know! One less possible source to track down :)

gwc_wd wrote:I would bet a large beer that the Host intentionally interferes with (throttles, query stalls, etc) WP installs that run specific plugins. One host was very direct about the matter. They said that a shared account should have no need for "membership fee functions" and that use of S2M could be interpreted as a violation of their TOS. I don't do business with them anymore of course <smile>.


Ah... hmm... by golly... I wonder if that's the same host as I'm using. Do they do commercial with female IndyCar drivers by chance?

gwc_wd wrote:At this point, I think you should be able to ask for tech assistance from GoDaddy and if they are unable or unwilling to provide any assistance -- most particularly in ruling things out -- then you should change hosts.


Yeah, I'm close to contacting them again - last time they washed their hands by saying that the performance was as expected once you turn off the plugins (which was sort of helpful because it put me on the track of checking the plugins-specific stuff)

gwc_wd wrote: Just interview potential hosts before you make any move, explicitly asking about throttling and policies that might affect your use of WP and S2M.


gwc_wd wrote:On related note, by using the WHM tools on my virtual server I was able to determine that LightBox Plus puts a hit on the CPU even on pages where it is not being used. This hit did not show up in Firebug so it was a surprise. When I disabled LightBox Plus it had a very noticeable impact on page loads; albeit at the cost of less sexy full image views.


Again: good to know! Thanks for all the bits and the time you spend replying! I'll see what I can find out - the geek in me is, of course, just intrigued and wants to figure out the exact issue (but the customer-oriented dude in me just needs to get decent performance by go-live date, lol... what am I laughing at? This is getting scary! )
More later!
User avatar
FrancescoRizzi
Registered User
Registered User
 
Posts: 21
Joined: December 2, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby Jason Caldwell » March 6th, 2011, 6:13 am

Just spotted this thread, and I wanted to share these recent improvements.

s2Member v3.5.2+ ( Changelog excerpts )

  • (s2Member/s2Member Pro). Optimizations. Further internal optimizations applied through configuration checksums that allow s2Member and s2Member Pro to load with even less overhead now.
  • (s2Member/s2Member Pro). Optimizations. Further internal optimizations applied with Hook priorities that allow s2Member and s2Member Pro to load dynamic CSS/JS files with even less overhead now.
  • (s2Member/s2Member Pro). WordPress® 3.1. Updated for full compatibility with WordPress® 3.1 ( s2Member also remains compatible with the WordPress® 3.0.x series ).
  • (s2Member/s2Member Pro). Speed Optimizations. s2Member's entire codebase has been re-organized into PHP classes containing s2Member's static functions ( dev note: all of s2Member's Hooks/Filters remain as they were ). This new infrastructure allows s2Member to take full advantage of PHP's built-in SPL Autoload extension. This means s2Member's source code is loaded ( only on-demand ) as function calls are made within core routines. So instead of loading s2Member's entire codebase into WordPress®; only the objects/methods needed during the processing of particular page will be included. Long story short, this release of s2Member is much faster than previous versions. For advanced site owners, this will make it more feasible to run s2Member in concert many other plugins; even on shared hosting.

Full Changelog here: http://www.primothemes.com/readme/914/#rm-changelog
~ Jason Caldwell / Lead Developer
& Zeitgeist Movie Advocate: http://www.zeitgeistmovie.com/

Is the s2Member plugin working for you? Please rate s2Member at WordPress.org.
You'll need a WordPress.org account ( comes in handy ). Then rate s2Member here Image
.
User avatar
Jason Caldwell
Lead Developer
Lead Developer
 
Posts: 4045
Joined: May 3, 2010
Location: Georgia / USA

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby peterhuk » March 6th, 2011, 5:37 pm

I use S2Member to manage member’s access to WP backend to
alow them to post their own content. The front end is free for all and
require no restriction.

Do I really need:

ws_plugin__s2member_js_w_globals
AND
ws_plugin__s2member_css

Loaded?

If not how do I switch them off using available hooks

PeterHuk
User avatar
peterhuk
Experienced User
Experienced User
 
Posts: 102
Joined: February 12, 2011

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby Cristián Lávaque » March 7th, 2011, 11:30 am

peterhuk wrote: ws_plugin__s2member_js_w_globals
AND
ws_plugin__s2member_css

If not how do I switch them off using available hooks


You can find the instructions in this page http://www.s2member.com/support/

Here's what it says regarding that:

How can I prevent s2Member Pro from loading it's default CSS?

You can place this into the functions.php file for your WordPress® theme.

Code: Select all
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_css_js::css"); 


Or, you could remove only specific action Hooks; based on Payment Gateway.

Code: Select all
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_alipay_css_js::alipay_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_authnet_css_js::authnet_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_ccbill_css_js::ccbill_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_clickbank_css_js::clickbank_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_google_css_js::google_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_paypal_css_js::paypal_css"); 
Cristián Lávaque http://s2member.net
Is s2Member working for you? Please rate it Image at WordPress.org. Thanks! :)
User avatar
Cristián Lávaque
Developer
Developer
 
Posts: 6836
Joined: December 22, 2010

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby peterhuk » March 7th, 2011, 4:25 pm

Hi clavaque,

Many thanks for your reply. I already read those instructions
and they appear to relate to S2Member Pro. But I am currently
only using S2Member.

In addition do you know what the likely effects would be of
switching them off.

Many thanks in advance.

PeterHuk
User avatar
peterhuk
Experienced User
Experienced User
 
Posts: 102
Joined: February 12, 2011

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby s1r0n » August 6th, 2011, 5:00 pm

User avatar
s1r0n
Registered User
Registered User
 
Posts: 57
Joined: May 12, 2011

Re: ws_plugin__s2member_js_w_globals potential security risk

Postby Olene » January 15th, 2012, 2:02 pm

Cristián Lávaque wrote:
peterhuk wrote: ws_plugin__s2member_js_w_globals
AND
ws_plugin__s2member_css

If not how do I switch them off using available hooks


You can find the instructions in this page http://www.s2member.com/support/

Here's what it says regarding that:

How can I prevent s2Member Pro from loading it's default CSS?

You can place this into the functions.php file for your WordPress® theme.

Code: Select all
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_css_js::css"); 


Or, you could remove only specific action Hooks; based on Payment Gateway.

Code: Select all
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_alipay_css_js::alipay_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_authnet_css_js::authnet_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_ccbill_css_js::ccbill_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_clickbank_css_js::clickbank_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_google_css_js::google_css");
remove_action ("ws_plugin__s2member_during_css", "c_ws_plugin__s2member_pro_paypal_css_js::paypal_css"); 

Thanks! This is very helpful!
User avatar
Olene
Registered User
Registered User
 
Posts: 1
Joined: January 15, 2012


Return to s2Member Plugin

Who is online

Users browsing this forum: No registered users and 2 guests

cron