Get the most out of your Centmin Mod LEMP stack
Become a Member

Wordpress Wordpress jQuery1.12.4 Vulnerability

Discussion in 'Blogs & CMS usage' started by EckyBrazzz, May 8, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    missing the submodule for wp-jquery-manager/inc/plugin-update-checker directory/files

    For forked version at centminmod/wp-jquery-manager would be
    Code (Text):
    cd /svr-setup
    git clone -b centminmod https://github.com/centminmod/wp-jquery-manager
    cd wp-jquery-manager
    git submodule update --init
    # verify submodule update
    ls -lah inc/plugin-update-checker
    

    example output
    Code (Text):
    git clone -b centminmod https://github.com/centminmod/wp-jquery-manager
    Cloning into 'wp-jquery-manager'...
    remote: Enumerating objects: 85, done.
    remote: Counting objects: 100% (85/85), done.
    remote: Compressing objects:  25% (20/80)  
    remote: Compressing objects: 100% (80/80), done.
    remote: Total 4218 (delta 21), reused 63 (delta 5), pack-reused 4133
    Receiving objects: 100% (4218/4218), 4.55 MiB | 18.13 MiB/s, done.
    Resolving deltas: 100% (1660/1660), done.
    
    cd wp-jquery-manager
    
    git submodule update --init
    Submodule 'inc/plugin-update-checker' (https://github.com/YahnisElsts/plugin-update-checker.git) registered for path 'inc/plugin-update-checker'
    Cloning into '/svr-setup/wp-jquery-manager/inc/plugin-update-checker'...
    Submodule path 'inc/plugin-update-checker': checked out '9d087b7d9c4e040087b14aaba2c171aa81d34603'
    
    ls -lah inc/plugin-update-checker                
    total 68K
    drwxr-xr-x 8 root root 4.0K May  9 03:10 .
    drwxr-xr-x 3 root root 4.0K May  9 03:10 ..
    -rw-r--r-- 1 root root  707 May  9 03:10 composer.json
    drwxr-xr-x 2 root root 4.0K May  9 03:10 css
    -rw-r--r-- 1 root root  271 May  9 03:10 .editorconfig
    drwxr-xr-x 2 root root 4.0K May  9 03:10 examples
    -rw-r--r-- 1 root root   53 May  9 03:10 .git
    drwxr-xr-x 2 root root 4.0K May  9 03:10 js
    drwxr-xr-x 2 root root 4.0K May  9 03:10 languages
    -rw-r--r-- 1 root root 1.1K May  9 03:10 license.txt
    -rw-r--r-- 1 root root 1.1K May  9 03:10 plugin-update-checker.php
    drwxr-xr-x 4 root root 4.0K May  9 03:10 Puc
    -rw-r--r-- 1 root root  16K May  9 03:10 README.md
    drwxr-xr-x 2 root root 4.0K May  9 03:10 vendor
    


    Then you can copy/move/zip up /svr-setup/wp-jquery-manager for use
     
  2. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    Your the best, but is there a handbrake somewhere, so fast! Yeah, noticed it when verify line 55 that I was missing it, Thanks
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    Missing some bytes. Yours is 68K
    Code (Text):
    [03:21][root@server6 wp-jquery-manager]# ls -lah inc/plugin-update-checker
    total 40K
    drwxr-xr-x 8 root root  208 May  9 03:21 .
    drwxr-xr-x 3 root root   59 May  9 03:20 ..
    -rw-r--r-- 1 root root  707 May  9 03:21 composer.json
    drwxr-xr-x 2 root root   31 May  9 03:21 css
    -rw-r--r-- 1 root root  271 May  9 03:21 .editorconfig
    drwxr-xr-x 2 root root   43 May  9 03:21 examples
    -rw-r--r-- 1 root root   53 May  9 03:21 .git
    drwxr-xr-x 2 root root   26 May  9 03:21 js
    drwxr-xr-x 2 root root 4.0K May  9 03:21 languages
    -rw-r--r-- 1 root root 1.1K May  9 03:21 license.txt
    -rw-r--r-- 1 root root 1.1K May  9 03:21 plugin-update-checker.php
    drwxr-xr-x 4 root root   28 May  9 03:21 Puc
    -rw-r--r-- 1 root root  16K May  9 03:21 README.md
    drwxr-xr-x 2 root root   79 May  9 03:21 vendor
    


    Renamed wp-jquery-manager to wp-jquery-manager.old and copied it over. Stange, the renamed .old is still there, but guess I actived the correct one, got a update function :)

    Screenshot_14.png
     
    Last edited: May 9, 2019
  4. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    okay might want to give it a few hours to try again, I'll have more updates to this fork :)
     
  5. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    12:45AM, yeah gona check it in a few hours ;) Keep my average of 21/7
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I created a zip package release 1.7.2-cmm for centminmod branch fork at centminmod/wp-jquery-manager you can try with the submodules added - download the 1.7.2-cmm linked named one not the source ones listed in assets section as they don't include submodules.
     
  7. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Example of my forked wp-jquery-manager jquery files with patched versions from DanielRuf/snyk-js-jquery-174006 for CVE-2019-11358 - prototype pollution vulnerability fixes in jquery 1.12.4, 2.2.4, 3.3.1 and also fully fixed jquery 3.4.1 on Wordpress 5.2 which was just released. Installed Wordpress 5.2 via centmin.sh menu option 22 wordpress auto installer with test code for php-fpm fastcgi_cache full page wordpress caching :)

    I created a wp-jquery-manager 1.7.2-cmm release tag (and 1.7.6-cmm release tagged and 1.7.8-cmm release tagged) which bundles the submodules required as well. So SSH installation for Centmin Mod 123.09beta01 and newer version of centmin.sh menu option 22 would install Wordpress 5.2 into directory at /home/nginx/domains/yourdomain.com/public where yourdomain.com is your wordpress site's domain name.

    Change vhostname=yourdomain.com to assign your domain name to vhostname variable and run these commands after installing Wordpress via centmin.sh menu option 22. I use wp-cli to activate the plugin and check it's status.
    Code (Text):
    vhostname=yourdomain.com
    cd /svr-setup
    wget https://github.com/centminmod/wp-jquery-manager/releases/download/1.7.8-cmm/1.7.8-cmm.zip
    unzip 1.7.8-cmm.zip -d /home/nginx/domains/$vhostname/public/wp-content/plugins/wp-query-manager
    chown -R nginx:nginx /home/nginx/domains/$vhostname/public/wp-content/plugins/wp-query-manager
    ls -lah /home/nginx/domains/$vhostname/public/wp-content/plugins/wp-query-manager
    cd /home/nginx/domains/$vhostname/public
    wp plugin activate wp-query-manager --allow-root
    wp plugin status wp-query-manager --allow-root
    

    Code (Text):
    wp plugin activate wp-query-manager --allow-root
    Plugin 'wp-query-manager' activated.
    Success: Activated 1 of 1 plugins.
    
    wp plugin status wp-query-manager --allow-root
    Plugin wp-query-manager details:
       Name: jQuery Manager for WordPress
       Status: Active
       Version: 1.7.6-cmm
       Author: Remzi Cavdar
       Description: Manage jQuery and jQuery Migrate on a WordPress website, select a specific jQuery and/or jQuery Migrate version. The ultimate jQuery debugging tool for WordPress. This plugin is a open source project, made possible by your contribution (code). Development is done on GitHub.
    

    Now seeing jquery 3.4.1 and jquery-migrate 3.0.1 in action on default Wordpress 5.2 theme, Twenty Nineteen.

    wp-jquery-manager-1.7.2-cmm-02.png wp-jquery-manager-1.7.2-cmm-03.png

    wp-jquery-manager, only updates jquery 3.4.1 and jquery-migrate 3.0.1 on frontend of wordpress. The admin backend can use default included jquery 1.12.4 and jquery-migrate 1.4.1 for best compatibility without breaking the admin backend

    wp-jquery-manager-1.7.2-cmm-05.png

    As Autoptimize Wordpress plugin is installed, I temporarily disable JS optimisations so I can see jquery and jquery-migrate's individual files and version query strings load to verify that correct versions are loaded.

    wp-jquery-manager-1.7.2-cmm-04.png

    And centmin.sh menu option tested php-fpm fastcgi_cache full page Wordpress caching in action for cache miss/bypass versus cache hit. Centmin Mod will create a include file at /usr/local/nginx/conf/wpfastcgi_cache_map.conf loaded in /usr/local/nginx/conf/nginx.conf which has a debug nginx map to whitelist your IP addresses so only those whitelisted IPs will be able to see the additional php-fpm fastcgi_cache status/stats related headers.
    Code (Text):
    map $remote_addr $fastcgi_debug {
      default 0;
      include /usr/local/nginx/conf/wpfastcgi_cache_map_debug.conf;
      # YOUR_ISP_IP_ADDR 1;
    }
    

    If you prefer for all visitors to view the additional headers without using whitelisted IPs, just change default 0 to default 1 as below and restart nginx service.
    Code (Text):
    map $remote_addr $fastcgi_debug {
      default 1;
      include /usr/local/nginx/conf/wpfastcgi_cache_map_debug.conf;
      # YOUR_ISP_IP_ADDR 1;
    }
    


    FYI, x-fpmcache-skip header actually tells you the class/rule (cookies, POST, querystrings, XMLHttprequest, specific URIs etc) which caused the fastcgi_cache to bypass the cache. In this case it was due to multiple -Cookie which append to each other, so in this case 2x wordpress logged in cookies caused a cache bypass.

    wp-jquery-manager-1.7.2-cmm-fastcgi-cache-01.png wp-jquery-manager-1.7.2-cmm-fastcgi-cache-02.png
     
    Last edited: Jun 3, 2019
  8. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    Perfect, install without any errors! Testing it now
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Let me know how it goes in the real world in production/testing for you :)
     
  10. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    :drowning: nano /usr/local/nginx/conf/wpfastcgi_cache_map.conf is empty, guess I'm missing something.
     
  11. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    only available for centmin.sh menu option 22 fastcgi_cache method installs and that is internal private beta tested right now so not available by default - yet :)
     
  12. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    Feeling a little bit "sad" here in Brazil. What to do to make that yet into another value?

    Was wondering why I was missing these nice headers and do want to have them.
     
  13. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    I'm doing something wrong. I don't get any contect encoding headers from my server. From sources that are not on my server I get them.
    Screenshot_15.png
     
  14. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah there is another persistent config variable to enable centmin.sh menu option 22's fastcgi_cache full page cache method - just the routine isn't for configuration and setup isn't perfected yet so needs more time :)

    FYI, ngx_pagespeed won't work properly with any of the full page wordpress caching methods - keycdn cache enabler, redis nginx level cache, wordpress super cache or fastcgi_cache caching. Reason is ngx_pagespeed requires the document/html page to use nocache headers out of the box so it can monitor and learn what page assets and page render/flow happens to be able to do ngx_pagespeed's page speed optimizations. With nocache header in place, all those full page cache methods will only ever return a cache miss/bypass for full page wordpress caching. Also ngx_pagespeed will do it's own compression taking priority from Centmin Mod Nginx and any gzip/brotli precompressed assets AFAIK.

    So basically with wordpress full page caching in place, you need to disable ngx_pagespeed.
     
  15. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    I disabled ngx_pagespeed but there was no difference; Also I use it together with Cloudflare, but all optimization options in CloudFlare Disabled. Enabling/disabling Cloudflare and ngx_pagespeed and combinations of it, no difference.

    Code (Text):
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    pagespeed unplugged;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    


    Obs. Noticed on several sites that without the pagespeed unplugged; and commented out pagespeed, ngx_pagespeed they still see that's it is active. So a suggestion to add that line by default to the vhost. It should be placed in the correct order as above in the code block to work.

    Will give it an try to disable ngx_pagespeed in the persistent config file /etc/centminmod/custom_config.inc by setting them both to 'n'
     
  16. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    when you disable ngx_pagespeed via pscontrol off command, it should set pagespeed unplugged in global
    /usr/local/nginx/conf/pagespeed.conf include file so no need to set in your vhost.

    Also for testing use Chrome private incognito browsing sessions so you sure you're not testing with browser cache. Also test with 3rd party curl test or curl command line header checks to ensure you see all headers as sometimes not all headers shown in browser dev tool network tab's response header fields HTTP Header Check with an online CURL tool
     
  17. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    When using pscontrol off it disables ngx_pagespeed for all sites. Well, can imagine that we don't want this to happen if we use ngx_pagespeed on other sites, so putting pagespeed unplugged; on a single vhost is in most cases is a better solution.

    Got a little confused with the results of https://www.webpagetest.org/ after disabling ngx_pagespeed.
    The average gain is 50-95ms, but many times it gives a 10 seconds, and that is worrying me.
    The cause is now reCaptcha from google, never had it before.

    Also, before disabling ngx_pagespeed all items had an A, now cache is C. Guess I spend a lot of time that seems to be wasted at the moment. Maybe a warning at https://community.centminmod.com/th...agespeed-dynamic-module-for-nginx-plus.10679/ what is does with CMM is needed.
    Pros and Cons....

    Have a look at the link and if you have any suggestions to use CMM without ngx_pagespeed please do let me know.
    Now I need some time to think it over again.

    Just need that "Perfect server and duplicate it".
     
    Last edited: May 10, 2019
  18. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that is due to the wpsecure custom whitelisted wp plugin location syntax canceling out staticfiles.conf include file's expire cache headers - ngx_pagespeed only optimizes the missing expire headers which can still do without ngx_pagespeed

    upload_2019-5-10_3-43-30.png
    so change in https://community.centminmod.com/threads/autoprotect-is-driving-me-crazy.17324/#post-73475 from
    Code (Text):
      location ~ ^/wp-content/plugins/sitepress-multilingual-cms/(.+/)?(.+)\.(css|js)$ { allow all; }
      location ~ ^/wp-content/plugins/sitepress-multilingual-cms/(.+/)?(.+)\.(png|gif)$ { allow all; }
      location ~* /wp-content/plugins/sitepress-multilingual-cms/.*\.php$ {
       include /usr/local/nginx/conf/php.conf;
       allow 127.0.0.1;
       deny all;
      }
    

    to add expires 30d directive and restart nginx
    Code (Text):
      location ~ ^/wp-content/plugins/sitepress-multilingual-cms/(.+/)?(.+)\.(css|js)$ { allow all; expires 30d;}
      location ~ ^/wp-content/plugins/sitepress-multilingual-cms/(.+/)?(.+)\.(png|gif)$ { allow all; expires 30d;}
      location ~* /wp-content/plugins/sitepress-multilingual-cms/.*\.php$ {
       include /usr/local/nginx/conf/php.conf;
       allow 127.0.0.1;
       deny all;
      }
    
     
  19. eva2000

    eva2000 Administrator Staff Member

    44,413
    10,142
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,690
    Local Time:
    3:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yeah indeed that is correct way to do it for single vhost - but it's just knowledge you need to know for ngx_pagespeed.
    Yeah probably need to add it to https://centminmod.com/nginx_ngx_pagespeed.html as well.
     
  20. EckyBrazzz

    EckyBrazzz Active Member

    867
    182
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +333
    Local Time:
    2:57 AM
    Latest
    Latest
    Perfect, changed from C to B, but working on a child-theme to get it even better.

    HTTP Header Check with an online CURL tool testing
    wp-content/plugins/onesignal-free-web-push-notifications/notice.js

    Gives me good news!