[theme-reviewers] Can I have another theme to review?
Edward Caissie
edward.caissie at gmail.com
Sun Apr 10 15:08:13 UTC 2011
Thanks, Chip -
I knew there were more but wasn't awake enough when I was looking to find
them (*grin* *yawn*)
... and I agree with the recommendations. Otto (or nacin) if you could look
into that.
Thanks,
Cais.
PS: The themes are suspended. EAC
On Sun, Apr 10, 2011 at 8:44 AM, Chip Bennett <chip at chipbennett.net> wrote:
> Here are all the tickets by developer "rahulsarees":
>
> http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=rahulsarees&col=id&col=summary&col=status&col=owner&col=type&col=resolution&col=time&order=priority
>
> Thankfully, he only has one other Theme, and it also isn't approved.
>
> I just did a search, and found this same trick used elsewhere.
>
> All-Green 1.0.4 (approved, by me *blush*):
> http://themes.svn.wordpress.org/all-green/1.0.4/images/spacer.tif
> Beauty Dots 1.0.6 (approved):
> http://themes.svn.wordpress.org/beauty-dots/1.0.6/images/spacer.tif
>
> Both of these Themes are by "paydaydesigns":
>
> http://themes.trac.wordpress.org/query?status=accepted&status=assigned&status=closed&status=new&status=reopened&reporter=paydaydesigns&col=id&col=summary&col=status&col=owner&col=type&col=time&order=priority
>
> *Recommendations:*
> *
> *
> *1) Blacklist both "rahulsarees" and "paydaydesigns" and suspend all above
> Themes*
> *2) Implement appropriate fixes in Theme-Check and the Uploader*
>
> Chip
>
> On Sun, Apr 10, 2011 at 4:20 AM, Andrew Nacin <wp at andrewnacin.com> wrote:
>
>> On Sun, Apr 10, 2011 at 4:34 AM, Emil Uzelac <emil at themeid.com> wrote:
>>
>>> There is something going on there no doubt about that, it seems like <a
>>> href=' '> was left there for a reason, such as URL injection. Either way
>>> this .tif can and does pose as a security problem, no need to go forward
>>> with the review until this is fixed immediately. I think that you can close
>>> as not-approved and explain the situation in your review.
>>>
>>> Nacin or Otto will know more about this, as is right now is way over my
>>> head :(
>>>
>>
>> I've closed the ticket and made some preliminary comments. Jon Cave has
>> fully decoded it before I've had the chance to -- the end result is loading
>> an external XML file to generate as many links as they want in the footer.
>> Clever, and slimy as hell.
>>
>> This theme appeared pretty much perfectly coded, except for the tif file
>> and the single line in footer.php. There's only so much we can do to
>> actually detect this in any automated fashion -- thanks so much for your
>> eagle eyes and extreme attention to detail on this one.
>>
>> I'll try to work with Otto to establish mime-type checking for images, as
>> that would have caught the tif being used as text/plain.
>>
>> Nacin
>>
>> _______________________________________________
>> theme-reviewers mailing list
>> theme-reviewers at lists.wordpress.org
>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>
>>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20110410/8deb2929/attachment.htm>
More information about the theme-reviewers
mailing list