[theme-reviewers] Security of themes (just top layer)

Mario Peshev mario at peshev.net
Sun Oct 9 05:52:06 UTC 2011 

Lol @Otto, you've been the source of all that as it seems :)

@Emil - yes, I know this one specifically is fixed (even in the advisory
it's recommended for people to actually update to the latest release). I was
just thinking about some internal process of following repositories and
advisories (just as Otto said he does on a regular basis) and notify authors
on this - preferably with ready security patches. We don't have any control
on people running sites with these themes so we can't notify them now, but I
was brainstorming out loud on different methods to point some critical
security troubles or run a mailing list (to point out latest security vulns
for themes) or something like this.

Just for the sake of the overall WP community. Some of the themes might even
be part of the WordPress.com system with millions of people running them
(and we don't want the same freaking scenario as the DDoS attack in March).

@Otto, I'm going to research the latest plugin vulnerability trends in the
mailing lists tonight and report accordingly if there is anything still
available in the repo.

All the best,

Mario Peshev
Training and Consulting Services @ DevriX
http://www.linkedin.com/in/mpeshev
http://peshev.net/blog



On Sun, Oct 9, 2011 at 8:12 AM, Otto <otto at ottodestruct.com> wrote:

> On Sat, Oct 8, 2011 at 11:45 PM, Mario Peshev <mario at peshev.net> wrote:
> > Someone in the mailing list mentioned Atahualpa theme and I just reminded
> > myself about a XSS attack revealed to this theme
> > - https://sitewat.ch/en/Advisories/8 (originated from a Russian security
> > site - http://www.securitylab.ru/vulnerability/407851.php ). There are
> > actually lots of other themes reported out there.
> > The Russian (not quite sure about the sitewat one) is the most popular
> site
> > about security I believe in Russia (I don't live there, but I follow
> their
> > sources for the past 5 years and never seen any other good source).
> > Therefore as expected lots of other users with a security knowledge
> observe
> > their advisories and could take advantage of some of the reports.
> > Is there any way to keep an eye to some top resources of vuln lists (or
> > create a list to review once a week) and report the authors with a
> standard
> > mail or adding some text to the /extends that the theme needs update?
> Since
> > some of the themes have tens of thousands of downloads, it could be
> > dangerous for most users.
> > It could be even an internal source for WP, but I don't know how wise is
> to
> > report WP vulnerabilities on the WP site itself.
> > Any comments on that?
> >
>
> Not to, you know, brag or anything, but guess who alerted the author
> of that theme to the XSS vulnerability in 3.6.7, and provided a fix?
> ;)
>
> We try to be on top of it, as far as it goes. If you find any security
> issues with anything live on wordpress.org, please email
> security at wordpress.org. Many very, very smart people get those emails,
> and act accordingly.
>
> If you find an issue with a plugin, email plugins at wordpress.org about
> it instead. That tends to be faster for the specific case of plugins,
> which are more numerous and have special cases.
>
> I follow *lots* of mailing lists, including many, many security
> related ones. Several others do too. We try our best, but we're not
> perfect, and sometimes we miss things, so please email the relevant
> addresses if there is any issue you think we didn't see.
>
> -Otto
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20111009/0262262f/attachment.htm>

More information about the theme-reviewers mailing list