I haven’t been updating or working on this WordPress plugin of mine for a while now. And it seems it has been removed from the WordPress.org plugin directory.
I’ve put up a temporary mirror link on the page here for it for those desperate enough to want it now. However an exploit was reported against it. Details below.
tl/dr An exploit was reported to WordPress support. The plugin was pulled. Will be fixed.
I think the term “exploit” is a not completely true. I’m not able to replicate the exploit on my web servers.
You have to have a public visible form, with an upload form and allow anonymous users to upload. The reported exploit uses only the first form, but in theory any form could be used. You temporary upload folder must also be publically available, but if you the post is automatically published, then the uploaded file will be publically available.
But you must also have your webserver configured to execute files as .php even if their extensions are .jpg. On my host and even on my default test setups, this is not the default. I’m not a big enough web server admin expert to properly understand all the ins and outs of this part, but generally it’s outside the scope of wordpress or tdo-mini-forms.
Example, the exploit user would upload script_to_run.php.jpg to your upload form. They’d then run it using a URL (if it’s public from the temp folder (uploads are kept for one hour). My setup would always treat that file as Image file and so it wouldn’t run.
See this thread from wp-hackers mailing list for more info on it.
If you think you’re currently affected, remove the upload widget from your forms or only allow trusted users to upload files.
WordPress does have some code now to remove the double extension. So I plan to update tdo-mini-forms to do this. I’m afraid I don’t currently have a test bed or a huge amount of time to fix this, but I will do it in the next month or so.
Hey, thanks for the update. I started using the plugin like a month ago and noticed it disappeared form wp’s directory a few days ago and started to worry.
I am having some trouble with import feature though will try to post in the forum.
Yes, thanks so much for the update. I absolutely LOVE TDO forms and consider it one of my favorite / most useful plugins on several WordPress sites. Looking forward to the update.
I’m currently having trouble with the “your submissions” link to appear in the dash for my users! I edited the your submissions.php file by only changing some text and I think the last update I ran caused this not to show up anymore! I was going to delete and re install but like you said…not there now. I don’t know what to do as I desperately need this link available for my users. What should I do?? Is there another plugin out there that has the same feature???
Thanks
@Josh You should be able configure the “your submission” link from the general options for the plugin.
How to support Chinese?
@wordpress主题书包 TDOMF uses the WordPress localization stuff. See this.
Hi, I tried to implement the form but it showed me all white boxes… How can i make the the boxes different colours or distinguishable.
Thanks in advance.
@Chiprang I’m not sure what you mean.
I’ve been theme-ing your great pluggin and have come up against a wall on the image upload iframe/widget. The Choose file button occurs in the line
<input type='file' name='uploadfile__’ id=’uploadfile__’ size=’30’ onChange=”validateFile(‘uploadfile_’,true);” />
If I type the input type=file I get a box round the whole thing.
could you tell me where the default Choose file button and the no file selected text are drawn from?
kind regards
Mike
@Mike Bird Off the top of my head, the text from the button comes from the browser implementation. I’m not really sure how you can modify it, though I know it looks different between browsers.
Thanks Mark, Worked out that yes it is a browser default and the only way would be to place/position an image on top of the button. So I compromised and styled the box around the button.
Thanks again for a brilliant plugin.
One thought as I near publishing the site. My form submission seems to take an age, is this a function of working localhost with the site (Mysql is actually an online server) or is there something I can work on to speed to up? I’m restricting the image upload to quite a small value so I’m not sure what’s holding it up? It’s literally taking a minute or two to submit.
Kind regards
Mike
Mark
So does the update simply deal with the upload widget? Or are there more changes in the update? I’ve gone way past simply doing a plugin update as I’ve changed a lot of the CSS and function messages which I obviously don’t want to over write.
Cheers
Mike
@Mike Bird I plan to look at the change next week but yes, it will only fix the exploit.
hey, love your plugin!! i’m having 2 problems though! i’ve taken out the option for users to post titles, is there a way i can change the default title? and also, when my users submit embedded videos from youtube, they don’t show up :/ any ideas?! thanks!
Hi,
I updated the lates version of the TDOMF and now I have trouble getting checkboxes to work.
If I add Categories widget to my form, select the needed categories and check the checkbox option it still shows the categories as radio buttons. Is it just me or is there something wrong with the new version?
It doesn’t help when trying to “hack” them to checkboxes and name them as categories-2[] (this is how they used to work).
Should the checkbox option work at all? Should I just give up or continue trying to get this work?
Ooops, sorry my bad I didn’t notice to check the option that user can select multiple categories. Discard the previous comment!
br,
turan
I have done a wretched amount of modification to your plugin, which more or less locks me in to the version I’ve got. When you modify it to fix the exploit, would it be possible for you to summarize the changes you make? That would allow me to apply them by hand to my mutant.
@max_Q Sure, I’ll post a summary of them. You can also access the version history from the SVN repo that holds the plugin on WordPress.com
Did the custom post types feature ever get “officially” added into this plugin?
@David I’m afraid I never finished the work. It’s half complete.
Not to burst ANYONE’s bubble, but since you mentioned stopping if anyone ever made something complete. I purchased “Formidable Pro” yesterday, (free version missing some of the field types and a few options, paid version only $37 and TOTALLY worth it),and already have it working on my site. Front end submission (auto publish or draft), custom post type and taxonomy support, front end editing and basic user restrictions on editing, form styling, display customizing, drag and drop, calendar entries and several other things I can’t imagine ever needing. You should definitely check it out. Thanks again for your great work.
[…] to resolve these issues - unfortunately, the form plugin which we use, TDO Mini Forms, is not being currently updated so it looks like we’ll need to move to another platform for submitting giveaways. What makes […]
Does this work with the latets wp 3.3.1?
Regards
How can we recover author information on posts submitted using TDO Mini forms?
We recently found that all posts submitted using TDO Mini Forms are missing the author information. Whereas the posts used to display “By ” and optionally the , the post authors have default to admin. New posts that were submitted using the TDO Mini Form have “tdomf_” as the author instead of the author information.
Our site depends heavily on TDO Mini forms and wish we were informed of the exploit and other problems or at least were given information about recovering data submitted using the form.
Can you please help us recover this information? We have hundreds of users waiting to reclaim authorship of their posts.
Replied to your query on the WP forums but here is in case anyone else wants to know:
That sounds like the posts were submitted from not logged in users, i.e. anonymous. The “tdomf_” is a default author created to allow anonymous posting because every post needs to be associated with an a user. However, the info is not lost. The name and email is in the “Content Fields” (which should be called Author Email, Author Name and Author Website). So you can use the WordPress content fields API to display the name on your theme pretty easily.
Just for the record, you should be fairly safe to continue using the plugin if you don’t have uploads. And even if you do have uploads, your webserver configuration would have to allow jpgs to be executed as scripts to have an effect.
I was shocked when I came to know that the plugin has been removed from the repository.
No other plugin whether free or premium would compete TDO-mini-forms. Hope it come back soon
Thanks
Yes I also use the the form for people to create thier own posts. Mine is still working, but not sure for how long. We need an update for this plugin paid or not! It’s the best I have found so far.
I really hope you want to update this wonderful plugin! Is very sad to see this masterpiece disappear from WordPress.
ps. if you need a future translation, send me a mail.
I love this plugin, glad to see an update is in the works, should make for a great christmas gift
One question how do you show all registered users on the site and be able to select those you can trust coz as it is now its only submitters that you can see..
Hey Mark,
I’ve cobbled together a Future Post widget, with a jQuery Date/Time picker, that allows you to schedule a post for future publication. No warranties on the quality of the code, but it works and has been very useful for me. Would you like it?