Life Flickr'd before my eyes



  • I was after a quick-and-simple way to get a widget on my Wordpress blog's sidebar showing the latest photos from my Flickr feed, so I grabbed a likely contender straight off the Wordpress plugins site and installed it. A minor bug, it showed "michaeltyson posted a photo" in every title, so I opened up the plugin and took a peek under the hood. Then freaked out.

    Check it:

    [code]
    if ($javascript) $flickrformat = "json"; else $flickrformat = "php";
    ...
    // Screen name or RSS in $username?
    if (!ereg("http://api.flickr.com/services/feeds", $username))
    	$url = "http://api.flickr.com/services/feeds/photos_public.gne?id=".urlencode($user_id)."&format=".$flickrformat."&lang=en-us".$tags;
    else
    	$url = $username."&format=".$flickrformat.$tags;
    
    // Output via php or javascript?
    if (!$javascript)
    {
    	eval("?>". file_get_contents($url) . "<?");
    	$photos = $feed;
    	
    	if ($random) shuffle($photos["items"]);
    	
    	if ($photos)
    	{
    		foreach($photos["items"] as $key => $value)
    		{
    ......
    [/code]

    Yep. That's a "php" output format from Flickr that contains PHP code to assign values to a local array. So you just evaluate whatever Flickr gives you and you're good to go.

    It's good to know that if Flickr ever get compromised (etc), that everyone using this plugin and any other piece of software that uses this API will have arbitrary code run on their site. Fun!


  • Discourse touched me in a no-no place

     What the FUCK?

     Adding Flickr to the blacklist now. That API should not exist and never should have existed.



  • Yeah, I'm pretty amazed. What were they thinking?!



  • A worrying WTF. 

    Also, 

     @michaeltyson said:

    <font face="Lucida Console" size="2">$url = $username."&format=".$flickrformat.$tags; </font>

     I didn't realise PHP accepted unicode text as input. 



  • Not only if Flickr gets compromised, but also if someone were to use a DNS exploit to redirect flickr.com to another system from that server's point of view. A third WTF is the short opening tag. Slap this person, please.



  • @lolwtf said:

    Not only if Flickr gets compromised, but also if someone were to use a DNS exploit to redirect flickr.com to another system from that server's point of view. A third WTF is the short opening tag. Slap this person, please.

    This is why APIs should always run on SSL.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.