SECURITY FIX
-
Hi:
Prevent using files variable to point to non-css file such as PHP files. This was reported by Ali Khalil, who said that it was possible to make a request such as:
site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php
Since the aim is process CSS files only, the files variable should only contain files that end with .css.
Patch available on github:
https://github.com/wp-plugins/wp-mobile-edition/pull/1https://github.com/loganaden/wp-mobile-edition/commit/ccef413c24fe52dede0ee51cca534ea8001bb407
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘SECURITY FIX’ is closed to new replies.
