April 30, 2012 at 6:55 pm #11946
I have Vaultpress on one of my sites and today it’s started giving a warning about the file:
‘preview-shortcode-external.php’ in themes: /shoutbox/framework/php/avia_shortcodes/
I think this is related to the recent woothemes exploit – any idea if this affects ‘ShoutBox’ or other Kriesi themes? Vaultpress is recommending I delete – preview-shortcode-external.php is it safe to do that? will it cause any problems with short codes?
Here is some more about the exploit http://blog.sucuri.net/2012/04/new-woothemes-vulnerability-patched-update-framework-now.htmlApril 30, 2012 at 8:08 pm #73671
I think Vaultpress is flagging this up as the file names of both the woothemes ‘preview-shortcode-external.php’ and ShoutBox ‘preview-shortcode-external.php’ files are the same? the code looks very different.April 30, 2012 at 8:53 pm #73672
I’m not sure about that. I’ll talk to Kriesi as I’m sure hes been busy checking into this since he makes such intimate use of WooCommerce.
In the meantime, You can always make a quick backup of the theme then delete the file and test for any functionality concerns. Off hand, you will definitely not be able to use the pop up shortcode generator but you could still use the shortcodes in the actual pages.
DevinApril 30, 2012 at 8:59 pm #73673
Cheers Devin, good advice and probably worth doing as a precaution until the issue is resolved.
Hopefully get a full answer from Kriesi pretty soon.April 30, 2012 at 9:13 pm #73674
It doesn’t look like it will be a big issue and to be honest I don’t *think* it will effect the themes at all. Definitely keep WooCommerce up to date in the coming weeks just in case.May 1, 2012 at 3:25 pm #73675
I dunno about this – I’m nervous because it has to do with the Shortcode Exploit that was found 4/23. I’d LOVE to see this addressed ASAP, because the patch is a *theme* patch. I know the code is different in these themes, it would still be nice to have eyes on it and some reassurance. Thank you!!
May 1, 2012 at 8:59 pm #73676
Must admit, it makes me a little nervous too – from what I can tell of the woothemes issue, it’s very easy to add shortcode to a site with the hack.
would like to see a ‘this is absolutely not an issue for our themes’ kinda response.May 2, 2012 at 7:44 am #73677
Hey Guys! I am currently in contact with woothemes to get some more knowledge on the issue, and I let you know as soons as I know more. In the meantime If you are afraid of the exploit open your themefolder with an ftp tool and remove the
the file is not necessary for the theme to work, the only functionality lost will be the shortcode previews when you create a new one.
I’ll keep you posted!
KriesiMay 2, 2012 at 8:11 am #73678May 2, 2012 at 2:00 pm #73679
Will do :)
Since the downtime of woothemes those guys are really busy it seems, so it might be a few more hours until I get an answer from the framework developer :)
KriesiMay 2, 2012 at 7:46 pm #73680May 3, 2012 at 6:27 pm #73681
I have released a patch for all framework themes. I am still not sure if the issue WooThemes is having is directly related to this file but I figured it wouldnt be bad adding some additional security. the files now stops executing is the user is not logged in and doesnt have the capability to edit code.
That should fix any holes in the preview system ;)
As always you can download the latest version of the themes on themeforestMay 3, 2012 at 8:24 pm #73682
Thats great news Kriesi – thanks for update… can you confirm if it’s just the file ‘preview-shortcode-external.php’ that needs replacing or the whole framework folder?May 3, 2012 at 8:32 pm #73683May 4, 2012 at 1:00 pm #73684
You can already get the update at themeforest, yes.
Updating this preview-shortcode-external.php and the dialog.php file within the shortcode folder is sufficient :)
KriesiMay 4, 2012 at 1:02 pm #73685
The topic ‘Security Waring’ is closed to new replies.