Endliess loop in bp activity plus stream from unknown user

I haven't really decided if this is a bp issue or a bp activity plus plugin issue. Seeing as how the comment was posted via the plugin's text box, I thought I'd post here as well as the bp forum.

I just had someone post a comment to the ACTIVITY STREAM. They had no username or avatar that I could see. When I clicked the VIEW link it resulted in an endless redirect loop. Bug or intentional hack?

Images:
This is the comment, user doesn’t have a username or an avatar – http://i.imgur.com/7giSv.png

This is the DB entry. Note that the user_id is “0?. Yet when I check wp_users the lowest user id that I see is my ID… the admin, which is “1?. http://i.imgur.com/iUZGq.png

This is what appears in the URL bar at the top of the browser… I stopped it, but eventually it crashes and I get a redirect loop message – http://i.imgur.com/7LWYF.png

Capture of wp_users ordered by lowest to highest value. Note that “0? doesn’t even appear – http://i.imgur.com/dfnCS.png
Anyone have any idea what the problem is? I ended up logging in as admin and just clicked the DELETE link next to the comment in the activity stream

  • DavidM
    • DEV MAN’s Mascot

    Hi Webster,

    That's just weird and it seems like it have to do with BP itself, as users should only have access to the activity stream if they're actually logged in, right?

    I'll ask a couple of the guys over here if they've seen anything like that before.

    Cheers,
    David

  • Webster
    • Design Lord, Child of Thor

    That's correct DavidM... Users must be registered to use or for that matter see the activity stream... It had to be someone with that access and that snippet of code somehow broke that part of BP. Having said that, does the code/post "look" malicious?

  • Webster
    • Design Lord, Child of Thor

    David? Can you have someone get back to me on this? Please. My guess is that they used the http://prntscr.com/ service to take a screenshot of their desktop. They may have used whatever embed code they got from there to post the image via de BP ACTIVITY PLUGIN "post image URL"; which would mean that the code isn't fully being sanitized.

    I'm not a mac so I can't test it. Can you have a developer install that program and try pasting the code in that field?

    Thanks...

  • DavidM
    • DEV MAN’s Mascot

    Hi Webster,

    If you're referring to the code you posted from your phpMyAdmin, there's nothing at all malicious in there. It's just some typical spam-looking content wrapped in a BP Activity Plus shortcode, what one would expect from to see from that plugin.

    It honestly looks like a spam attempt to generate traffic to that site you posted. It's just odd that the link got posted without user data.

    Cheers,
    David

  • Webster
    • Design Lord, Child of Thor

    David...

    "It honestly looks like a spam attempt to generate traffic to that site you posted. It's just odd that the link got posted without user data."

    Knowing my sites content and looking more closely at the comment, I'd say that this SOMEHOW came from a registered user. The text of the comment is relative to the website and its context is well within what I would expect a user to post. I think it's innocent in that respect.

    What's odd is that in posting the code (however they did it), it killed their avatar and made them an anonymous user.

    That's what I would be looking into... I tried posting the same code myself and couldn't repeat the error.

  • Mason
    • DEV MAN’s Sidekick

    I'm not sure either. I've commented on your thread there.

    As it was an isolated incident, I'm thinking (hoping) something just went wrong with that one post and caused information to be corrupted/not added to the database. It could have been a crazy combination of any number of items. Makes it extremely tricky to sort, but shouldn't be an ongoing concern. I suppose time will tell...

  • Philip John
    • DEV MAN’s Apprentice

    Hiya,

    As we haven't heard back from you we're going to assume the problem was sorted out and mark this thread as resolved.

    If it wasn't resolved, or you have any more questions related to this thread please feel free to post them below and tick the 'Mark as Not Resolved (re-open)' box below the post area (or else we'll miss it!)

    Otherwise, thanks for using the forums, and, as always, for being a member of WPMU DEV, it's a pleasure to help you out and we look forward to being of assistance in the future.

    Cheers,
    Phil

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.