[theme-reviewers] Can I have another theme to review?
Chip Bennett
chip at chipbennett.net
Sun Apr 10 12:44:10 UTC 2011
Here are all the tickets by developer "rahulsarees":
http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=rahulsarees&col=id&col=summary&col=status&col=owner&col=type&col=resolution&col=time&order=priority
Thankfully, he only has one other Theme, and it also isn't approved.
I just did a search, and found this same trick used elsewhere.
All-Green 1.0.4 (approved, by me *blush*):
http://themes.svn.wordpress.org/all-green/1.0.4/images/spacer.tif
Beauty Dots 1.0.6 (approved):
http://themes.svn.wordpress.org/beauty-dots/1.0.6/images/spacer.tif
Both of these Themes are by "paydaydesigns":
http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=paydaydesigns&col=id&col=summary&col=status&col=owner&col=type&col=time&order=priority
*Recommendations:*
*
*
*1) Blacklist both "rahulsarees" and "paydaydesigns" and suspend all above
Themes*
*2) Implement appropriate fixes in Theme-Check and the Uploader*
Chip
On Sun, Apr 10, 2011 at 4:20 AM, Andrew Nacin <wp at andrewnacin.com> wrote:
> On Sun, Apr 10, 2011 at 4:34 AM, Emil Uzelac <emil at themeid.com> wrote:
>
>> There is something going on there no doubt about that, it seems like <a
>> href=' '> was left there for a reason, such as URL injection. Either way
>> this .tif can and does pose as a security problem, no need to go forward
>> with the review until this is fixed immediately. I think that you can close
>> as not-approved and explain the situation in your review.
>>
>> Nacin or Otto will know more about this, as is right now is way over my
>> head :(
>>
>
> I've closed the ticket and made some preliminary comments. Jon Cave has
> fully decoded it before I've had the chance to -- the end result is loading
> an external XML file to generate as many links as they want in the footer.
> Clever, and slimy as hell.
>
> This theme appeared pretty much perfectly coded, except for the tif file
> and the single line in footer.php. There's only so much we can do to
> actually detect this in any automated fashion -- thanks so much for your
> eagle eyes and extreme attention to detail on this one.
>
> I'll try to work with Otto to establish mime-type checking for images, as
> that would have caught the tif being used as text/plain.
>
> Nacin
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110410/6b067552/attachment.htm>
More information about the theme-reviewers
mailing list