[wp-forums] jetpack exposes css-optimiser form
Tim Moore
tim at automattic.com
Thu Jan 3 14:40:11 UTC 2013
Thanks for the notice, Michael and Otto. We've gotten this removed in the
development branch and it will be officially removed in Jetpack 2.1.
On Thu, Jan 3, 2013 at 1:24 AM, Otto <otto at ottodestruct.com> wrote:
> That code should indeed be removed from Jetpack since it's vulnerable
> to a CSS attack, but it's not a threat to WordPress itself. It would
> be extremely difficult to leverage that into a hacked site, and would
> require a gullible administrator as well.
>
> -Otto
>
>
> On Wed, Jan 2, 2013 at 11:40 PM, Michael Atkins
> <michael at cubecolour.co.uk> wrote:
> > Adonis Nafeh has flagged up a concern he has with Jetpack
> >
> >
> http://wordpress.org/support/topic/vulnerability-possible-vulnerability-in-jetpack-custom-css
> >
> > I tried to reach the css_optimiser.php page he mentioned in one of my
> own installs & got a 404, however I have since found that even with jetpack
> not active a non-logged-in user can still load up that page on other sites.
> >
> > Does this look like it is anything to worry about? or is it a red
> herring?
> >
> > Michael
> > @cubecolour
> >
> > _______________________________________________
> > wp-forums mailing list
> > wp-forums at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-forums
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums
>
More information about the wp-forums
mailing list