Facebook Badge as a WordPress Sidebar Widget

Skowronek — Fri, 22 Aug 2008 21:54:31 +0000

I tinker around a lot with WordPress. As a matter of fact, I tinker a lot and am quite good at it. I have created various custom modules (unpublished) as well as written a PHPBB to WordPress migration utility (long lost unfortunately). Lately I have been keen to develop custom sidebar widgets by mashing up social site widgets. My latest, the Facebook badge sidebar widget.

This is alpha code and is not intended for those unfamiliar with PHP and/or the WordPress API.

You will also need to be familiar with the WordPress widget API.

Create a Facebook badge

Copy the script code they provide following a successful build

<script src="http://badge.facebook.com/badge/xxxxxxx.js"></script>
<noscript>
	<a href="http://www.new.facebook.com/people/xxxxxx/xxxxxxx">Facebook profile</a>
</noscript>

Add the following PHP function into your widget.php file with the generated code between the badge tags

function widget_facebook($p)
{
?>







}

if ( function_exists('register_sidebar_widget') )
{
		register_sidebar_widget(__('Facebook'), 'widget_facebook', '');
}

Make sure you have dynamic sidebar enabled in your sidebar.php script

<div class="sidebar">
<ul>

	if (function_exists('dynamic_sidebar'))
	{
		dynamic_sidebar(1);
	}
?>
</ul>
</div>

Finally, update your stylesheet to override the Facebook style settings.

.fb_root_vert
{
	width:195px !important
}
 
.fb_vert
{
	width:193px !important
}
 
.fb_object table tr td
{
	width:185px !important
}
 
.fb_badge > a
{
	display:block !important;
	padding-left:50px !important;
}
 
.fb_badge
{
	background:#3B5998 !important;
	margin-bottom:8px !important;
}

Now that you have the code, you can add the widget to your sidebar through the WordPress widget administration screen.

That’s all. Enjoy.

Index of /wp-content/uploads

Skowronek — Fri, 07 Dec 2007 08:32:02 +0000

Tonight, whilst experimenting with the various advanced Google search techniques (hacks) to locate web content, I had an epiphany. Any web directory/folder that has indexes enabled (show an index of the contents of the folder of no directory index file exists) will list the contents of said directory with the phrase “Index of” followed by the actual root-relative path to available list of assets. This is due to the fact that the directory/folder does not have an index document/file present, so the web server spits out the entire list of the folder’s content. But I digress.

I have been using WordPress as my blogging platform for a few years now. Before that was a hybrid of PHPBB and custom PHP application I wrote. WordPress works great and has robust features that make blogging a snap for the more technical (such as myself, ehem) and also for the less technical netizens out there. Now, one of these great features is the ability to upload pictures and files (content) through a web interface. What a great concept (this is where the epiphany came in) except if you weren’t planning on listing up the contents of your entire uploads folder to the world. which happens to be the case with some (okay a lot of) default installations of WordPress.

Lets say you “Google” the “Index of” any WordPress uploads folders (/wp-content/uploads). You don’t have to be a rock scientist (yes, that was a joke) to realize the possible implications. Let me give you an idea of the figure as of tonight: 4,143,000 indexes. That’s 4,143,000 WordPress installations that have directory indexes enabled and are completely wide open to crawlers and spiders that can pilfer (argh) their content.

Try it yourself: http://www.google.com/search?q=Index+of+%2Fwp-content

There are plenty of other “Index of” combinations out there:

Now obviously if someone is using WordPress and uploading content, it’s more than likely related to their blog, and perfectly okay for the world to sneak a peak. However, for those sites that are using WordPress as a corporate platform, with confidential information (don’t ask me why you would want to do this with WordPress…), this is a huge security issue.

Moral of the story, unplug your computer, no one is safe.

Here are a bunch I found in a forum while actually doing a search on _vti (Front Page extensions).

filetype:htpasswd htpasswd
intitle:"Index of" “.htpasswd" -intitle:"dist"
           -apache -htpasswd.c
index.of.private (algo privado)
intitle:index.of master.passwd
inurl:passlist.txt (para encontrar listas de passwords)
intitle:"Index of..etc" passwd
intitle:admin intitle:login
“Incorrect syntax near" (SQL script error)
intitle:"the page cannot be found" inetmgr
intitle:index.of ws_ftp.ini
“Supplied arguments is not a valid PostgreSQL result"
_vti_pvt password intitle:index.of
inurl:backup intitle:index.of inurl:admin
“Index of /backup"
index.of.password
index.of.winnt
inurl:"auth_user_file.txt"
“Index of /admin"
“Index of /password"
“Index of /mail"
“Index of /" +passwd
Index of /" +.htaccess
Index of ftp +.mdb allinurl:/cgi-bin/ +mailto
allintitle: “index of/admin"
allintitle: “index of/root"
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
administrator.pwd.index
authors.pwd.index
service.pwd.index
filetype:config web
gobal.asax index
inurl:passwd filetype:txt
inurl:admin filetype:db
inurl:iisadmin
inurl:"auth_user_file.txt"
inurl:"wwwroot/*."
allinurl: winnt/system32/ (get cmd.exe)
allinurl:/bash_history
intitle:"Index of" .sh_history
intitle:"Index of" .bash_history
intitle:"Index of" passwd
intitle:"Index of" people.1st
intitle:"Index of" pwd.db
intitle:"Index of" etc/shadow
intitle:"Index of" spwd
intitle:"Index of" master.passwd
intitle:"Index of" htpasswd
intitle:"Index of" members OR accounts
intitle:"Index of" user_carts OR user _cart

Skowronek.org » Wordpress

Facebook Badge as a WordPress Sidebar Widget

Index of /wp-content/uploads