Ideas for finding exploits such as this one?<div><br></div><div>1) Using include() to add an image file to the template file, rather than using an <img /> tag.</div><div>2) *Anything* unusual in footer.php, or hooked into wp_footer() in functions.php</div>
<div><br></div><div>What else?</div><div><br></div><div>Chip<br><br><div class="gmail_quote">On Sun, Apr 10, 2011 at 7:44 AM, Chip Bennett <span dir="ltr"><<a href="mailto:chip@chipbennett.net">chip@chipbennett.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Here are all the tickets by developer "rahulsarees":<div><a href="http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=rahulsarees&col=id&col=summary&col=status&col=owner&col=type&col=resolution&col=time&order=priority" target="_blank">http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=rahulsarees&col=id&col=summary&col=status&col=owner&col=type&col=resolution&col=time&order=priority</a></div>
<div><br></div><div>Thankfully, he only has one other Theme, and it also isn't approved.</div><div><br></div><div>I just did a search, and found this same trick used elsewhere.</div><div><br></div><div>All-Green 1.0.4 (approved, by me *blush*): <a href="http://themes.svn.wordpress.org/all-green/1.0.4/images/spacer.tif" target="_blank">http://themes.svn.wordpress.org/all-green/1.0.4/images/spacer.tif</a></div>
<div>Beauty Dots 1.0.6 (approved): <a href="http://themes.svn.wordpress.org/beauty-dots/1.0.6/images/spacer.tif" target="_blank">http://themes.svn.wordpress.org/beauty-dots/1.0.6/images/spacer.tif</a></div>
<div><br></div><div>Both of these Themes are by "paydaydesigns":</div><div><a href="http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=paydaydesigns&col=id&col=summary&col=status&col=owner&col=type&col=time&order=priority" target="_blank">http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=paydaydesigns&col=id&col=summary&col=status&col=owner&col=type&col=time&order=priority</a></div>
<div><br></div><div><b>Recommendations:</b></div><div><b><br></b></div><div><b>1) Blacklist both "rahulsarees" and "paydaydesigns" and suspend all above Themes</b></div><div><b>2) Implement appropriate fixes in Theme-Check and the Uploader</b></div>
<div><br></div><div><font color="#888888">Chip<br><br></font><div class="gmail_quote"><div><div></div><div class="h5">On Sun, Apr 10, 2011 at 4:20 AM, Andrew Nacin <span dir="ltr"><<a href="mailto:wp@andrewnacin.com" target="_blank">wp@andrewnacin.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div></div><div class="h5">
<div>On Sun, Apr 10, 2011 at 4:34 AM, Emil Uzelac <span dir="ltr"><<a href="mailto:emil@themeid.com" target="_blank">emil@themeid.com</a>></span> wrote:<br></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><font size="2"><font face="tahoma,sans-serif">There is something going on there no doubt about that, it seems like <a href=' '> was left there for a reason, such as URL injection. Either way this .tif can and does pose as a security problem, no need to go forward with the review until this is fixed immediately. I think that you can close as not-approved and explain the situation in your review.</font></font></div>
<div><font size="2"><font face="tahoma,sans-serif"></font></font> </div><div><font size="2"><font face="tahoma,sans-serif">Nacin or Otto will know more about this, as is right now is way over my head :( </font></font></div>
</blockquote><div><br></div></div><div>I've closed the ticket and made some preliminary comments. Jon Cave has fully decoded it before I've had the chance to -- the end result is loading an external XML file to generate as many links as they want in the footer. Clever, and slimy as hell.</div>
<div><br></div><div>This theme appeared pretty much perfectly coded, except for the tif file and the single line in footer.php. There's only so much we can do to actually detect this in any automated fashion -- thanks so much for your eagle eyes and extreme attention to detail on this one.</div>
<div><br></div><div>I'll try to work with Otto to establish mime-type checking for images, as that would have caught the tif being used as text/plain.</div><div><br></div><font color="#888888"><div>Nacin</div></font></div>
<br></div></div><div class="im">_______________________________________________<br>
theme-reviewers mailing list<br>
<a href="mailto:theme-reviewers@lists.wordpress.org" target="_blank">theme-reviewers@lists.wordpress.org</a><br>
<a href="http://lists.wordpress.org/mailman/listinfo/theme-reviewers" target="_blank">http://lists.wordpress.org/mailman/listinfo/theme-reviewers</a><br>
<br></div></blockquote></div><br></div>
</blockquote></div><br></div>