drivelocity.com - senseless nonsense in a nonsensical world

19 Dec, 2008

Top Commentators Link Hijack Vulnerability

Posted by: drivelocity In: Blogging| Site News

I was using the Top Commentators plugin, created by WebGrrrl, downloaded from WordPress.org. Supposedly the latest version released by her fixed the link hijack vulnerability by allowing you to group by name or email address, but as I discovered today, it didn’t work. I don’t know if it was intentional link hijacking, but will assume it was not…

While I commented about it here, I thought that enough people use this plugin that I should highlight this problem in case people are using that version.

Instead of using that plugin, try this one, found at StuffBySarah.net. Unfortunately it’s not as plug-and-play as the original, but it only took a matter of minutes to get it set up.

In order to use it as a widget, you will need the ExecPHP plugin found here. Once you install and activate that plugin, you can go to your Widgets and drag over “PHP Code” – edit that widget and paste in the following code:

<?php if(function_exists('ns_show_top_commentators')) { ?>
<li>
<ul><?php ns_show_top_commentators(); ?></ul>
</li>
<?php } ?>

If you don’t use widgets, you can add this code to your sidebar php file:

<?php if(function_exists('ns_show_top_commentators')) { ?>
<li>
<h2>Top Commentators</h2>
<ul><?php ns_show_top_commentators(); ?></ul>
</li>
<?php } ?>

I should point out that the code above is not what I found to work best due to the unordered lists… Here is the exact code I have in the widget:

Want to be listed here? Leave some comments!
<br/><br/>
<?php if(function_exists('ns_show_top_commentators')) { ?>
<ul><?php ns_show_top_commentators(); ?></ul>
<?php } ?>

Now, I don’t know if everyone using the original Top Commentators plugin was experiencing this problem, but I was able to replicate it on two different blogs and have since tested the new plugin on both blogs with no hijacking. I hope this helps some of you…

Tags: , , , ,

14 Responses to "Top Commentators Link Hijack Vulnerability"

1 | World Trade Center Coins

December 23rd, 2008 at 8:25 am

I just install the new commentators plugin on my blog and I can see from your post that I need to change it out. I will do that and also use the linklove I see that works great also

World Trade Center Coins´s last blog post..Silver Bar With World Trade Center

2 | drivelocity

December 23rd, 2008 at 9:41 am

I’m glad I could help someone with the hijack issue! I don’t think I’ve seen a plugin called linklove, so I’ll have to look into that one… Thanks!

3 | Andy Bailey

December 24th, 2008 at 4:07 pm

I used to have the top commentators plugin too until people started hijacking existing comment authors names.
I might have to come up with one myself!

Andy Bailey´s last blog post..Wordpress for business bloggers book review

4 | drivelocity

December 25th, 2008 at 2:44 am

Thanks for the comment Andy! Have you tried the one I mentioned in this post? I tested it and haven’t found it possible to hijack links…

5 | Atniz

January 5th, 2009 at 1:56 am

I’m not sure my plugin is from whom. But, it works good for me.

Atniz´s last blog post..Happy New Year with Page Rank Update 12/31/2008

6 | drivelocity

January 5th, 2009 at 9:44 am

Thanks for the comments Atniz! :)

If, on the plugins page of your site, it reads, “Show Top Commentators (SarahG Version)” you’re good to go. If not, you probably have the other one called “Top Commentators Widget” from WebGrrrl.net, which is the one that’s vulnerable to the link hijacking.

You can also test this for yourself by logging out, posting a comment as someone on your Top Commentators list and see if it changes the link to the URL you specify. You can then delete your comment and it will go back to their URL.

7 | Jay

January 7th, 2009 at 4:48 pm

Man, I hate all this coding stuff. Thanks for the heads up though, and at least making it easier for someone like me to understand.

Jay´s last blog post..AN OLD FLAME

8 | drivelocity

January 8th, 2009 at 9:41 am

No problem. Thanks for the comment Jay! :)

9 | Lorna

April 21st, 2009 at 10:18 pm

I only stumbled on your post today, so I apologize for the late feedback. The link hijack issue caused by using the plugin is solved in the widget IF you’re using version 1.0 or later, AND have the comments grouped by e-mail, instead of user names (which is selected by default). I gave this an option in case other users feel uncomfortable doing so. In any case, it’’s great to know that the other fix is able to address your problem. Cheers!

Lorna´s last blog post..giuk.net: It’s alive… IT’S ALIVE!

10 | drivelocity

April 22nd, 2009 at 11:25 am

Thanks for the update Lorna! I noticed my link had been hijacked on someone else’s blog recently, so hopefully they’ll update their plugin!

11 | Lithiummind

June 11th, 2009 at 2:37 am

Thanks for the GREAT TIP. I installed the first plugin and then stumble upon your blog. Now I have switch my plugin to the one by SarahG

Lithiummind´s last blog post..Google Adsense Payment In More Countries

12 | drivelocity

June 11th, 2009 at 6:56 am

You’re welcome! I’m glad I could help. To be honest, the other plugin may have been updated since this post & the issue may be resolved. If I find the time, I’ll try it on a test blog…

13 | Lori

August 23rd, 2009 at 6:20 am

Thanks for that :) I think that the issue is fixed in the new version of the plugin :)
.-= Lori´s last blog ..?????? ? ????? "??????? ????? 2009" =-.

14 | A Joyful Path » Blog Archive » I DID get hacked

October 25th, 2009 at 8:16 am

[...] Jen about it. She asked me again which widget this was I’d recently installed and pulled up Top Commentators Linked to Hijack Vulnerability to show [...]

Comment Form



Categories

Archives

Hosting starting at $25/yr

U Comment I Follow

Search


  • Randy Palmer: I would agree. Anyway to give back to your readers is a plus. You just do not see that anymore.
  • MikeHID: I hate to say it but there is NO good providers.
  • MikeHID: Nice catch. Thank goodness Google has continued to innovate at the top. Let’s hope they don’t go the way of Microsoft.

Sponsors


Three's a charm - Three Great Services
 Once You Know, You Newegg
Affordable online backup for your small business
 Advertise on drivelocity.com

Popular Posts



SacTownsBest.com
Sacramento Top 25

Subscribe

Enter your email address:

Delivered by FeedBurner

About

drivelocity.com is a host to political and personal ranting and raving on a variety of issues including blogging, current events, humor and misc. drivel.
Top Blogs blog search directory

Copyright © 2008 drivelocity.com is proudly powered by WordPress

Fervens - A Theme is created by: Design Disease brought to you by Smashing Magazine

Ajax CommentLuv Enabled 412ebb4cf88d984ff34d366b87ccf12c Personal