[theme-reviewers] Can I have another theme to review?
chip at chipbennett.net
Sun Apr 10 12:44:10 UTC 2011
Here are all the tickets by developer "rahulsarees":
Thankfully, he only has one other Theme, and it also isn't approved.
I just did a search, and found this same trick used elsewhere.
All-Green 1.0.4 (approved, by me *blush*):
Beauty Dots 1.0.6 (approved):
Both of these Themes are by "paydaydesigns":
*1) Blacklist both "rahulsarees" and "paydaydesigns" and suspend all above
*2) Implement appropriate fixes in Theme-Check and the Uploader*
On Sun, Apr 10, 2011 at 4:20 AM, Andrew Nacin <wp at andrewnacin.com> wrote:
> On Sun, Apr 10, 2011 at 4:34 AM, Emil Uzelac <emil at themeid.com> wrote:
>> There is something going on there no doubt about that, it seems like <a
>> href=' '> was left there for a reason, such as URL injection. Either way
>> this .tif can and does pose as a security problem, no need to go forward
>> with the review until this is fixed immediately. I think that you can close
>> as not-approved and explain the situation in your review.
>> Nacin or Otto will know more about this, as is right now is way over my
>> head :(
> I've closed the ticket and made some preliminary comments. Jon Cave has
> fully decoded it before I've had the chance to -- the end result is loading
> an external XML file to generate as many links as they want in the footer.
> Clever, and slimy as hell.
> This theme appeared pretty much perfectly coded, except for the tif file
> and the single line in footer.php. There's only so much we can do to
> actually detect this in any automated fashion -- thanks so much for your
> eagle eyes and extreme attention to detail on this one.
> I'll try to work with Otto to establish mime-type checking for images, as
> that would have caught the tif being used as text/plain.
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the theme-reviewers