Prototype.js needs an update.

[SupersonicSquirrel]

(I hope I'm doing this right, as it's clearly not a forum topic, but a serious issue.)

I have experienced hacking of my prototype.js file on a high-traffic website a couple of times within the recent week and each time malicious code would be added to it in order to open an inline frame leading to a website that was automatically downloading Trojans to a visitor's computer.

Of course, I always update my installation of WordPress within 1-2 hours from when an update is available (and I obviously use 2.6.3 and not 2.6.1...), the only writeable files on my server are the sitemaps; I know how to protect my files and folders; so I assume this is an issue that could repeat on someone else's website as well.

From what I can see, the file on ​http://www.prototypejs.org/download is different from the file included with WordPress. I wonder if updating the file included in wp-includes/js/ would change anything.

I'm sorry if I wasted anyone's time here. When I report a vulnerability at the forum, I get response from newbies telling me stupid things.

[Viper007Bond]

If you actual prototype.js file is being modified, then you have a server security issue.

[ryan]

We're not on the latest version of prototype, but the latest doesn't address security issues. Prototype is not the problem. We plan to update prototype for WP 2.8.