Support » Fixing WordPress » possible vulnerability in jetpack custom css

  • My wordpress news site was under attack earlier today. The attackers were injecting code repetitively into every input box they can find on the site.That drove up the cpu usage[graph] and almost got my account suspended by the host. I started following the trail i found in the access logs and temporarily closed all the forms on the site. But then, i noticed that the attacker started accessing a file in the jetpack plugins directory, and it turned out to be the CSS Formatter and Optimizer, found in “wp-content/plugins/jetpack/modules/custom-css/csstidy/css_optimiser.php”[screenshot] which is open to all visitors, logged in or not. I did a bit of research and found this vulnerability report about the aforementioned file. I renamed the file and added an empty index.php file to hide the content of that directory and i’m trying to figure out a better solution at the moment.

    Why would you allow that file to be open for public?? and why not do something to hide the files inside the directories. I understand directories structure and content can be easily obtained by installing jetpack but it would at least make it harder for automated scrapping solutions to find open input fields.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator cubecolour



    Are you definitely not still logged in when you did this?

    I’m not able to replicate this. I just tried to get to the wp-content/plugins/jetpack/modules/custom-css/csstidy/css_optimiser.php page on one of my installations when not logged in & it threw me out with a 404 page not found error.

    i was logged in but i opened that page in incognito mode, so i should not have been logged in as far as the server is concerned. Nevertheless, i tried it again, after logging out and without incognito mode and still, i was able to access it.

    And i just accessed the css optimiser on your site, and emailed you the link to it from your contact page.

    and added an empty index.php file to hide the content of that directory

    You should be hiding the content of all directories to begin with. Add this line to the top of your .htaccess file:

    Options -Indexes

    I’ve deleted css_optimiser.php and disable directory indexes waiting for a better solution

    Moderator cubecolour



    This appears to have been fixed in the new version of Jetpack (v2.1) by the Jetpack devs

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘possible vulnerability in jetpack custom css’ is closed to new replies.