WordPress.org

Ready to get started?Download WordPress

Forums

possible vulnerability in jetpack custom css (6 posts)

  1. Adonis Nafeh
    Member
    Posted 1 year ago #

    My wordpress news site was under attack earlier today. The attackers were injecting code repetitively into every input box they can find on the site.That drove up the cpu usage[graph] and almost got my account suspended by the host. I started following the trail i found in the access logs and temporarily closed all the forms on the site. But then, i noticed that the attacker started accessing a file in the jetpack plugins directory, and it turned out to be the CSS Formatter and Optimizer, found in "wp-content/plugins/jetpack/modules/custom-css/csstidy/css_optimiser.php"[screenshot] which is open to all visitors, logged in or not. I did a bit of research and found this vulnerability report about the aforementioned file. I renamed the file and added an empty index.php file to hide the content of that directory and i'm trying to figure out a better solution at the moment.

    Why would you allow that file to be open for public?? and why not do something to hide the files inside the directories. I understand directories structure and content can be easily obtained by installing jetpack but it would at least make it harder for automated scrapping solutions to find open input fields.

  2. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    Are you definitely not still logged in when you did this?

    I'm not able to replicate this. I just tried to get to the wp-content/plugins/jetpack/modules/custom-css/csstidy/css_optimiser.php page on one of my installations when not logged in & it threw me out with a 404 page not found error.

  3. Adonis Nafeh
    Member
    Posted 1 year ago #

    i was logged in but i opened that page in incognito mode, so i should not have been logged in as far as the server is concerned. Nevertheless, i tried it again, after logging out and without incognito mode and still, i was able to access it.

    And i just accessed the css optimiser on your site, and emailed you the link to it from your contact page.

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 1 year ago #

    and added an empty index.php file to hide the content of that directory

    You should be hiding the content of all directories to begin with. Add this line to the top of your .htaccess file:

    Options -Indexes

  5. cegomez
    Member
    Posted 1 year ago #

    I've deleted css_optimiser.php and disable directory indexes waiting for a better solution

  6. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 1 year ago #

    This appears to have been fixed in the new version of Jetpack (v2.1) by the Jetpack devs

Topic Closed

This topic has been closed to new replies.

About this Topic