Domain Manage

Use themeforest or codecanyon read this

Discussion in 'Website Design' started by cannybagotudor, Sep 9, 2014.

Thread Status:
Not open for further replies.
  1. cannybagotudor United Kingdom

    cannybagotudor Active Member

    Joined:
    Jun 2013
    Posts:
    80
    Likes Received:
    2
    I'm guessing a few of you use themeforest for themes and maybe code canyon for sliders etc, well they have a serious security issues with hundreds of wordress themes using 2 popular sliders, revolution slider and showbiz Pro. These sliders are commonly bundled with wordpress themes and are also available on their own.
    You can find out more below

    http://marketblog.envato.com/general/plugin-vulnerability/

    The weakness allows hackers full access to the server so if you host other sites on the same server they can also be attacked.
     
    • Like Like x 1
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. Adam H

    Adam H Well-Known Member Exclusive Member

    Joined:
    May 2014
    Posts:
    1,046
    Likes Received:
    84
    Yeah was released by Sucuri last week and also a check to see if your slider has been affected , what they dont tell you is the problem was actually patched a long time ago ( months ) but was never made a big deal of in the update logs.

    http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

    If your site is using the revolution slider then trying this URL obviously replacing the site name :

    Code:
    http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
    will tell you if your site is at risk, if it is at risk it will allow you to download the wp-config.php from the admin-ajax , if it gives you a blank page or "image not found" message then you are running a safe version.
     
  4. grantw United Kingdom

    grantw Well-Known Member

    Joined:
    Mar 2005
    Posts:
    4,649
    Likes Received:
    82
    This is what happens when you run your site from the online equivalent of a council house!
     
  5. timter51 United Kingdom

    timter51 Active Member Exclusive Member

    Joined:
    Oct 2012
    Posts:
    549
    Likes Received:
    22
    My sites all return a HTML page just with a "0" on it, that's it. All good?
     
  6. Adam H

    Adam H Well-Known Member Exclusive Member

    Joined:
    May 2014
    Posts:
    1,046
    Likes Received:
    84
    Yeah i believe thats fine, if it was vulnerable you would physically see the ability to download the file from the server to your local machine, obviously doing so would then give that person access to your wp-config SQL logins plus the ability to download any other file they wished.
     
  7. timter51 United Kingdom

    timter51 Active Member Exclusive Member

    Joined:
    Oct 2012
    Posts:
    549
    Likes Received:
    22
    Wow, I just found an old site with the vulnerability... using the "X" theme which is a best seller at ThemeForest. Scary being able to just download the wp-config with all the passwords etc. inside :/
     
  8. Aegean

    Aegean Active Member

    Joined:
    Feb 2011
    Posts:
    752
    Likes Received:
    16
    Man, wordpress itself allows sites to be hacked, never mind sliders.
     
  9. Alien

    Alien Well-Known Member

    Joined:
    May 2006
    Posts:
    5,921
    Likes Received:
    57
    I get a -1 on one site, I assume (hope) that's OK?! :D
     
  10. atlas Canada

    atlas Well-Known Member

    Joined:
    Oct 2007
    Posts:
    1,348
    Likes Received:
    34
    Do you mean Wordpress or the themes? Or both?
     
  11. Adam H

    Adam H Well-Known Member Exclusive Member

    Joined:
    May 2014
    Posts:
    1,046
    Likes Received:
    84
    Any self managed platform that has a decent sized community and lets the website owner choose their own plugins, themes and hosting environment with out really knowing what they are installing will always have downfalls

    As they say the majority of the time the real issue is PEBPAK ( problem exists between keyboard and chair ) people don't check what they are installing, they dont update when they are told to or they simply dont understand the risks.

    I would put money on the majority of the people that have been hit with this slider vulnerability ( and most likely the people that still dont know about it until they are hacked ) are actually people that downloaded older nulled versions of these themes, obviously not all of them as some themes were not updated but i suspect huge numbers we people taking the cheap way out.
     
  12. grantw United Kingdom

    grantw Well-Known Member

    Joined:
    Mar 2005
    Posts:
    4,649
    Likes Received:
    82
    I was referring to anything Wordpress but especially if it's had themes/plugins added to it, it's like putting a sign up to hackers asking them to come and have a go.

    I get probably 50+ phishing emails a day, the majority of them contain a link to a page on a hacked wordpress site. The whole system is like a dormant virus spreading around the internet just waiting to be unleashed.

    Grant
     
  13. ChrisMM France

    ChrisMM Active Member

    Joined:
    Oct 2009
    Posts:
    183
    Likes Received:
    7
    Newsflash: Everything is OK in the world... until it isn't!
     
  14. cannybagotudor United Kingdom

    cannybagotudor Active Member

    Joined:
    Jun 2013
    Posts:
    80
    Likes Received:
    2
    I tend to agree with grantw, I had a wordpress site hacked before, themes breaking down when you update to the latest version of wordpress etc. I then started to learn html, haven't used wordpress since. An html site can still get hacked but the process is alot more involved and due to how easily wordpress and to an extent joomla are hacked, few waste their resources trying to attack html sites.
    I understand the popularity of wordpress, it's end user friendly and for those selling websites , they can be turned out fast. The disadvantage is end users are not really tech savvy and may use plugins and experienced web designer or internet marketer wouldn't touch.

    As adamH pointed out this was fixed some time ago, the issue being as these plugins were bundled into themes, it was reliant on the theme creator to update their themes and no support was offered from the original plugin creators in these cases as the theme was not purchased directly.

    Those in high comp seo will remember the infamous frog in a well case, which effectively ensured the payday loan niche was manually reviewed by google on a regular basis. Hackers used plugin backdoors and could effectively rank for any term they wanted.
     
Thread Status:
Not open for further replies.

Share This Page