[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] IL and XSS vulnerabilities in multiple themes for WordPress
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] IL and XSS vulnerabilities in multiple themes for WordPress
- From: Henri Salo <henri@xxxxxxx>
- Date: Tue, 7 Jun 2011 19:12:06 +0300
On Tue, Jun 07, 2011 at 06:57:44PM +0300, MustLive wrote:
> Hi David!
>
> You need to look harder ;-). Looks like you checked these two themes on those
> sites, admins of which deleted this file. There are admins who can understand
> that scripts with phpinfo must not be at working sites (but it's rare cases,
> and larger part of the sites with affected themes for WP contain test.php).
>
> Yes, I've check all these 15 themes (I've tested even more and wasted a lot
> of time on it, but found exactly at these 15 themes). I've found them at live
> web sites in Internet, as I mentioned earlier.
>
> Here are examples of the sites with test.php in Typebased and NewsPress
> themes:
>
> http://thenetexperiment.com/wp-content/themes/typebased/includes/test.php
>
> http://coporan.3x.ro/wp-content/themes/newspress/includes/test.php
>
> For example, in April I was trying to find test.php in these 15 and other
> themes at WooThemes' demo site, but they haven't this file in any of their
> themes (among those tested by me). So as for their own sites, then they
> understand the risk, and when to sell holes for large price for their
> clients, then they already don't understand the risk and position it as a
> feature :-).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
Please don't waste your time anymore :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/