[theme-reviewers] Can I have another theme to review?
Chip Bennett
chip at chipbennett.net
Sun Apr 10 12:56:24 UTC 2011
Ideas for finding exploits such as this one?
1) Using include() to add an image file to the template file, rather than
using an <img /> tag.
2) *Anything* unusual in footer.php, or hooked into wp_footer() in
functions.php
What else?
Chip
On Sun, Apr 10, 2011 at 7:44 AM, Chip Bennett <chip at chipbennett.net> wrote:
> Here are all the tickets by developer "rahulsarees":
>
> http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=rahulsarees&col=id&col=summary&col=status&col=owner&col=type&col=resolution&col=time&order=priority
>
> Thankfully, he only has one other Theme, and it also isn't approved.
>
> I just did a search, and found this same trick used elsewhere.
>
> All-Green 1.0.4 (approved, by me *blush*):
> http://themes.svn.wordpress.org/all-green/1.0.4/images/spacer.tif
> Beauty Dots 1.0.6 (approved):
> http://themes.svn.wordpress.org/beauty-dots/1.0.6/images/spacer.tif
>
> Both of these Themes are by "paydaydesigns":
>
> http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=paydaydesigns&col=id&col=summary&col=status&col=owner&col=type&col=time&order=priority
>
> *Recommendations:*
> *
> *
> *1) Blacklist both "rahulsarees" and "paydaydesigns" and suspend all above
> Themes*
> *2) Implement appropriate fixes in Theme-Check and the Uploader*
>
> Chip
>
> On Sun, Apr 10, 2011 at 4:20 AM, Andrew Nacin <wp at andrewnacin.com> wrote:
>
>> On Sun, Apr 10, 2011 at 4:34 AM, Emil Uzelac <emil at themeid.com> wrote:
>>
>>> There is something going on there no doubt about that, it seems like <a
>>> href=' '> was left there for a reason, such as URL injection. Either way
>>> this .tif can and does pose as a security problem, no need to go forward
>>> with the review until this is fixed immediately. I think that you can close
>>> as not-approved and explain the situation in your review.
>>>
>>> Nacin or Otto will know more about this, as is right now is way over my
>>> head :(
>>>
>>
>> I've closed the ticket and made some preliminary comments. Jon Cave has
>> fully decoded it before I've had the chance to -- the end result is loading
>> an external XML file to generate as many links as they want in the footer.
>> Clever, and slimy as hell.
>>
>> This theme appeared pretty much perfectly coded, except for the tif file
>> and the single line in footer.php. There's only so much we can do to
>> actually detect this in any automated fashion -- thanks so much for your
>> eagle eyes and extreme attention to detail on this one.
>>
>> I'll try to work with Otto to establish mime-type checking for images, as
>> that would have caught the tif being used as text/plain.
>>
>> Nacin
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110410/3139ab64/attachment.htm>
More information about the theme-reviewers
mailing list