[wp-trac] [WordPress Trac] #7955: Prototype.js needs an update.

WordPress Trac wp-trac at lists.automattic.com
Fri Oct 24 00:24:14 GMT 2008


#7955: Prototype.js needs an update.
--------------------------------+-------------------------------------------
 Reporter:  SupersonicSquirrel  |       Owner:  anonymous              
     Type:  defect              |      Status:  new                    
 Priority:  high                |   Milestone:  2.7                    
Component:  Administration      |     Version:  2.6.1                  
 Severity:  major               |    Keywords:  prototype.js javascript
--------------------------------+-------------------------------------------
 (I hope I'm doing this right, as it's clearly not a forum topic, but a
 serious issue.)

 I have experienced hacking of my prototype.js file on a high-traffic
 website a couple of times within the recent week and each time malicious
 code would be added to it in order to open an inline frame leading to a
 website that was automatically downloading Trojans to a visitor's
 computer.

 Of course, I always update my installation of WordPress within 1-2 hours
 from when an update is available (and I obviously use 2.6.3 and not
 2.6.1...), the only writeable files on my server are the sitemaps; I know
 how to protect my files and folders; so I assume this is an issue that
 could repeat on someone else's website as well.

 From what I can see, the file on http://www.prototypejs.org/download is
 different from the file included with WordPress. I wonder if updating the
 file included in wp-includes/js/ would change anything.

 I'm sorry if I wasted anyone's time here. When I report a vulnerability at
 the forum, I get response from newbies telling me stupid things.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7955>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list