Wordpress Themes - WP Forum at BFA

Wordpress Themes - WP Forum at BFA (http://forum.bytesforall.com/index.php)
-   New Versions, & Updating (http://forum.bytesforall.com/forumdisplay.php?f=12)
-   -   ?bfa_ata_file=css Source Code Disclosure (http://forum.bytesforall.com/showthread.php?t=14809)

KatyDigg Jul 3, 2011 08:51 AM
?bfa_ata_file=css Source Code Disclosure
 
Hi Folks!

WP 3.1.4

ATA 3.6.7

> All 3.6.7 Bug Fixes employed.

> CSS is set to External.

I've just had scan result from WebsiteDefender:

ALERT Source code disclosure (http://www.xxxxxx/?bfa_ata_file=css)


http://www.xxxxxx/?bfa_ata_file=css
<?php bloginfo('template_directory');?>


Source code patterns were found on this page. The source code of server-side scripts helps an attacker to better understand the logic behind the Web application and may help him conduct further attacks.


EDIT:

1) On 3.6.4. site(s) - having run WebsiteDefender - this issue does not occur.

2) Only, seemingly, occurs on 3.6.7 site (with the 3.6.7 bug fixes employed).



[By the way, I have NOT, ever, used the plugins AddThis, WP Touch or W3 Total Cache - on any site]

juggledad Jul 4, 2011 06:01 AM
was the site in 3.6.4 using CSS external or internal?

KatyDigg Jul 4, 2011 07:29 AM
Quote:
Originally Posted by juggledad (Post 69107)
was the site in 3.6.4 using CSS external or internal?
Ah, good point, Juggledad, I'll away and find out right now.

EDIT:

Actually, just had a look and the 3.6.4 site is using CSS inline/internal.

KatyDigg Jul 11, 2011 03:38 AM
Simply wish to include this reference link, so as to come back to later.


CSS all dumped into the <head> of the files. Why?



.


All times are GMT -6. The time now is 10:10 PM.

Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.