Support Forum - Topic: Choices site was hacked

Support Forum - Topic: Choices site was hacked - known vulnerability? http://www.kriesi.at/support/topic/choices-site-was-hacked-known-vulnerability Support Forum - Topic: Choices site was hacked - known vulnerability? en-US Sun, 26 May 2013 00:43:16 +0000 http://bbpress.org/?v=1.0.2 <![CDATA[Search]]> q http://www.kriesi.at/support/search.php songbyanon on "Choices site was hacked - known vulnerability?" http://www.kriesi.at/support/topic/choices-site-was-hacked-known-vulnerability#post-84453 Sun, 18 Nov 2012 13:42:58 +0000 songbyanon 84453@http://www.kriesi.at/support/ Great, thanks for the quick reply. Dude on "Choices site was hacked - known vulnerability?" http://www.kriesi.at/support/topic/choices-site-was-hacked-known-vulnerability#post-84448 Sun, 18 Nov 2012 12:42:00 +0000 Dude 84448@http://www.kriesi.at/support/ Hi! Yes, Choices version 1.6 fixes the security issue: <a href="http://themeforest.net/item/choices-responsive-business-and-portfolio/2536338" rel="nofollow">http://themeforest.net/item/choices-responsive-business-and-portfolio/2536338</a> Please download the latest version from themeforest.net. Best regards, Peter songbyanon on "Choices site was hacked - known vulnerability?" http://www.kriesi.at/support/topic/choices-site-was-hacked-known-vulnerability#post-84440 Sun, 18 Nov 2012 08:10:19 +0000 songbyanon 84440@http://www.kriesi.at/support/ Hello, One of my sites using the Choices theme was recently hacked - I believe using a UTF-7 exploit with XSS (though I could be wrong about that). The hackers basically defaced all the pages by editing the head section on each of the pages. This resulted in a load of errors like this being displayed on each of the pages:- Warning: html_entity_decode() [function.html-entity-decode]: charset `UTF-7' not supported, assuming iso-8859-1 in <URL>/choices/framework/php/function-set-avia-backend.php on line XXX From my little understanding of this, I thought this sort of hack was only possible when you don't explicitly declare which charset you are using. In the theme I see the charset is defined as:- <meta charset="<?php bloginfo( 'charset' ); ?>" /> ...which seems pretty standard. Any idea how they managed to do this and/or what I can do to prevent it from happening again? Incidentally, if you do a google search for the error message, you'll see a lot of sites using your themes that have been hacked in the same way (with file function-set-avia-backend.php). Thanks in advance