Security Waring « Support Forum | Kriesi.at - Wordpress Themes and HTML Templates

Kriesi.at - Wordpress Themes and HTML Templates

Support Forum » Shoutbox

closed

resolved

Security Waring

16 posts from 4 voices

Started 1 year ago by eddygame
Latest reply from eddygame
This topic is closed
This topic is resolved

Tags:

eddygame
Member

Hi Guys,

I have Vaultpress on one of my sites and today it's started giving a warning about the file:
'preview-shortcode-external.php' in themes: /shoutbox/framework/php/avia_shortcodes/

I think this is related to the recent woothemes exploit - any idea if this affects 'ShoutBox' or other Kriesi themes? Vaultpress is recommending I delete - preview-shortcode-external.php is it safe to do that? will it cause any problems with short codes?

Here is some more about the exploit http://blog.sucuri.net/2012/04/new-woothemes-vulnerability-patched-update-framework-now.html

Posted 1 year ago #
eddygame
Member

I think Vaultpress is flagging this up as the file names of both the woothemes 'preview-shortcode-external.php' and ShoutBox 'preview-shortcode-external.php' files are the same? the code looks very different.

Posted 1 year ago #
Devin
Moderator

Hi eddygame,

I'm not sure about that. I'll talk to Kriesi as I'm sure hes been busy checking into this since he makes such intimate use of WooCommerce.

In the meantime, You can always make a quick backup of the theme then delete the file and test for any functionality concerns. Off hand, you will definitely not be able to use the pop up shortcode generator but you could still use the shortcodes in the actual pages.

Regards,

Devin

Posted 1 year ago #
eddygame
Member

Cheers Devin, good advice and probably worth doing as a precaution until the issue is resolved.

Hopefully get a full answer from Kriesi pretty soon.

Posted 1 year ago #
Devin
Moderator

It doesn't look like it will be a big issue and to be honest I don't *think* it will effect the themes at all. Definitely keep WooCommerce up to date in the coming weeks just in case.

Posted 1 year ago #
littlepackage
Member

I dunno about this - I'm nervous because it has to do with the Shortcode Exploit that was found 4/23. I'd LOVE to see this addressed ASAP, because the patch is a *theme* patch. I know the code is different in these themes, it would still be nice to have eyes on it and some reassurance. Thank you!!

https://gist.github.com/2523147

http://www.woothemes.com/2012/04/framework-shortcode-exploit-has-been-fixed/

Posted 1 year ago #
eddygame
Member

Must admit, it makes me a little nervous too - from what I can tell of the woothemes issue, it's very easy to add shortcode to a site with the hack.

would like to see a 'this is absolutely not an issue for our themes' kinda response.

Posted 1 year ago #
Kriesi
Key Master

Hey Guys! I am currently in contact with woothemes to get some more knowledge on the issue, and I let you know as soons as I know more. In the meantime If you are afraid of the exploit open your themefolder with an ftp tool and remove the

"framework/php/avia_shortcodes/preview-shortcode-external.php" file

the file is not necessary for the theme to work, the only functionality lost will be the shortcode previews when you create a new one.

I'll keep you posted!
Cheers

Kriesi

Posted 1 year ago #
eddygame
Member

Thanks for the update Kriesi - please keep us posted on developments.

Posted 1 year ago #
Kriesi
Key Master

Hey!

Will do :)
Since the downtime of woothemes those guys are really busy it seems, so it might be a few more hours until I get an answer from the framework developer :)

Best regards,
Kriesi

Posted 1 year ago #
eddygame
Member

Yeah! I wouldn't want to be in the woothemes office this week!

Posted 1 year ago #
Kriesi
Key Master

Ok guys!

I have released a patch for all framework themes. I am still not sure if the issue WooThemes is having is directly related to this file but I figured it wouldnt be bad adding some additional security. the files now stops executing is the user is not logged in and doesnt have the capability to edit code.

That should fix any holes in the preview system ;)

As always you can download the latest version of the themes on themeforest

Posted 1 year ago #
eddygame
Member

Thats great news Kriesi - thanks for update... can you confirm if it's just the file 'preview-shortcode-external.php' that needs replacing or the whole framework folder?

Posted 1 year ago #
eddygame
Member

and one more question... can we pick up the updated themes from themeforest?

Posted 1 year ago #
Kriesi
Key Master

Hi!

You can already get the update at themeforest, yes.

Updating this preview-shortcode-external.php and the dialog.php file within the shortcode folder is sufficient :)

Regards,
Kriesi

Posted 1 year ago #
eddygame
Member

You're a star Dude - thanks

Posted 1 year ago #

RSS feed for this topic

Topic Closed

This topic has been closed to new replies.

© Copyright Kriesi.at – Wordpress Themes and HTML Templates

top