Viewing 16 posts - 1 through 16 (of 16 total)
  • Author
    Posts
  • #11946

    Hi Guys,

    I have Vaultpress on one of my sites and today it’s started giving a warning about the file:

    ‘preview-shortcode-external.php’ in themes: /shoutbox/framework/php/avia_shortcodes/

    I think this is related to the recent woothemes exploit – any idea if this affects ‘ShoutBox’ or other Kriesi themes? Vaultpress is recommending I delete – preview-shortcode-external.php is it safe to do that? will it cause any problems with short codes?

    Here is some more about the exploit http://blog.sucuri.net/2012/04/new-woothemes-vulnerability-patched-update-framework-now.html

    #73671

    I think Vaultpress is flagging this up as the file names of both the woothemes ‘preview-shortcode-external.php’ and ShoutBox ‘preview-shortcode-external.php’ files are the same? the code looks very different.

    #73672

    Hi eddygame,

    I’m not sure about that. I’ll talk to Kriesi as I’m sure hes been busy checking into this since he makes such intimate use of WooCommerce.

    In the meantime, You can always make a quick backup of the theme then delete the file and test for any functionality concerns. Off hand, you will definitely not be able to use the pop up shortcode generator but you could still use the shortcodes in the actual pages.

    Regards,

    Devin

    #73673

    Cheers Devin, good advice and probably worth doing as a precaution until the issue is resolved.

    Hopefully get a full answer from Kriesi pretty soon.

    #73674

    It doesn’t look like it will be a big issue and to be honest I don’t *think* it will effect the themes at all. Definitely keep WooCommerce up to date in the coming weeks just in case.

    #73675

    I dunno about this – I’m nervous because it has to do with the Shortcode Exploit that was found 4/23. I’d LOVE to see this addressed ASAP, because the patch is a *theme* patch. I know the code is different in these themes, it would still be nice to have eyes on it and some reassurance. Thank you!!


    https://gist.github.com/2523147

    http://www.woothemes.com/2012/04/framework-shortcode-exploit-has-been-fixed/

    #73676

    Must admit, it makes me a little nervous too – from what I can tell of the woothemes issue, it’s very easy to add shortcode to a site with the hack.

    would like to see a ‘this is absolutely not an issue for our themes’ kinda response.

    #73677

    Hey Guys! I am currently in contact with woothemes to get some more knowledge on the issue, and I let you know as soons as I know more. In the meantime If you are afraid of the exploit open your themefolder with an ftp tool and remove the

    “framework/php/avia_shortcodes/preview-shortcode-external.php” file

    the file is not necessary for the theme to work, the only functionality lost will be the shortcode previews when you create a new one.

    I’ll keep you posted!

    Cheers

    Kriesi

    #73678

    Thanks for the update Kriesi – please keep us posted on developments.

    #73679

    Hey!

    Will do :)

    Since the downtime of woothemes those guys are really busy it seems, so it might be a few more hours until I get an answer from the framework developer :)

    Best regards,

    Kriesi

    #73680

    Yeah! I wouldn’t want to be in the woothemes office this week!

    #73681

    Ok guys!

    I have released a patch for all framework themes. I am still not sure if the issue WooThemes is having is directly related to this file but I figured it wouldnt be bad adding some additional security. the files now stops executing is the user is not logged in and doesnt have the capability to edit code.

    That should fix any holes in the preview system ;)

    As always you can download the latest version of the themes on themeforest

    #73682

    Thats great news Kriesi – thanks for update… can you confirm if it’s just the file ‘preview-shortcode-external.php’ that needs replacing or the whole framework folder?

    #73683

    and one more question… can we pick up the updated themes from themeforest?

    #73684

    Hi!

    You can already get the update at themeforest, yes.

    Updating this preview-shortcode-external.php and the dialog.php file within the shortcode folder is sufficient :)

    Regards,

    Kriesi

    #73685

    You’re a star Dude – thanks

Viewing 16 posts - 1 through 16 (of 16 total)

The topic ‘Security Waring’ is closed to new replies.