Security Vulnerability Affecting prettyPhoto jQuery Script

Vivaco · July 9, 2015, 8:08pm

ZoomIt, this seems to be a common issue for some items, though on the positive side Envato is quite fast on resolving it… our item is back online now

StephenCronin · July 9, 2015, 11:24pm

Vivaco said
Well that’s ridiculous, guys we have updated the prettyphoto bug 2 weeks ago, added “PrettyPhoto XSS fix” string in review comment section and then bam! Today we got our WP theme http://themeforest.net/item/startuply-multipurpose-startup-theme/9055667 disabled and customers are writing to my email in rage. Sales are slow this time of year for most of us and now this… how could it happen?

Hey Vivaco,

Sorry for that! I see we’ve now re-enabled it. Please accept our apologies.

Cheers,
Stephen

StephenCronin · July 9, 2015, 11:35pm

SeaWebster said
Hi Stephen,

Our plugin uses the updated version of prettyPhoto (3.1.6). We’ve released the update on June 29, 2015. Please check it out: http://codecanyon.net/item/hover-effects-builder-wordpress-plugin/10932318

Thanks in advance.

Hi SeaWebster,

Sorry - we’ve re-enabled this now. Apologies for the inconvenience and thanks for your patience.

Cheers,
Stephen

StephenCronin · July 9, 2015, 11:40pm

ZoomIt said
Common Envato,

You disabled half of my portfolio, most of which doesn’t even use prettyPhoto.

It was just a mention
if($.fn.prettyPhoto){
...
}
For example - Layouter, Parallaxer, etc

And I even sent updates with mention XSS Fix

Hi Zoomit,

Please accept my apologies for that! I see that these are now re-enabled, but sorry for the inconvenience.

Cheers,
Stephen

StephenCronin · July 9, 2015, 11:58pm

ZoomIt said
Would have been nice a quick manual check before disabling, especially because I already sent update with prettyPhoto XSS fix

Hi ZoomIt,

Our original plan was to do a manual check of each item before disabling, which would obviously be ideal.

However, we are dealing with such a large number of items that we estimated that it would take up to a week to disable them all! During that time we’d have no capacity to review new items or updates for other reasons and we’d only have limited capacity to review updates for prettyPhoto.

In the end, we decided that disabling items via a script would be the better way to go (though certainly not ideal).

We have been talking about how we can make this better in future. I’d like to see the ability for authors to be able to look up their items and see whether they have been marked as updated. That would help us pick up cases where we missed it and also would also give authors peace of mind. So creating that is now on our list of things to do.

Cheers,
Stephen

NooTheme · July 10, 2015, 1:15am

Our theme uses the updated version of prettyPhoto (3.1.6). We’ve released the update on June 29, 2015. Please check it out: http://themeforest.net/item/jarvis-onepage-parallax-drupal-theme/7837131

Thanks in advance.
NooTheme

Ivor · July 10, 2015, 2:18am

NooTheme said
Our theme uses the updated version of prettyPhoto (3.1.6). We’ve released the update on June 29, 2015. Please check it out: http://themeforest.net/item/jarvis-onepage-parallax-drupal-theme/7837131

Thanks in advance.
NooTheme

You have two jquery.prettyPhoto.js one in [For Exist Drupal Installation] /themes/jarvis/js/jquery.prettyPhoto.js and the other one in [For Fresh New Drupal] /files/sites/all/themes/jarvis/js/jquery.prettyPhoto.js and both prettyPhoto scripts are v3.1.5.

!http://envato.d.pr/4ETI/3LA8A7uk+!

averta · July 10, 2015, 5:52am

Hi,

We updated Master Slider jQuery four days ago and it has the latest version of prettyPhoto (3.1.6). Please check it out: http://codecanyon.net/item/master-slider-responsive-touch-swipe-slider/6337671

StephenCronin · July 10, 2015, 6:13am

averta said
Hi,

We updated Master Slider jQuery four days ago and it has the latest version of prettyPhoto (3.1.6). Please check it out: http://codecanyon.net/item/master-slider-responsive-touch-swipe-slider/6337671

Hi Averta,

Thanks for letting me know. We have re-enabled Master Slider now. Sorry for the inconvenience.

Lotus is still using version 3.1.5 of prettyPhoto - could you please update that one so we can re-enable that too?

Thanks.
Stephen

averta · July 10, 2015, 6:34am

StephenCronin said
Hi Averta,

Thanks for letting me know. We have re-enabled Master Slider now. Sorry for the inconvenience.

Lotus is still using version 3.1.5 of prettyPhoto - could you please update that one so we can re-enable that too?

Thanks.
Stephen

Hi Stephen,

Thanks for the prompt reply.
Yes, we will submit new version as soon as possible.

Averta

dbcinfotech · July 10, 2015, 8:06am

Hi,
PrettyPhoto was included in my admin side theme. But it was not used on any of my script. My whole portfolio is now soft disabled. I have already changed and submitted all the files for review 18 hours ago. Still my items has not been approved. Can you tell us how long it will take to approve the items. I have 1300+ sales. My buyers are panicking and sending constant emails to us, because they are thinking we have shut down the product.

A answer would be helpful.

Thanks

Opal_WP · July 10, 2015, 8:21am

Dear Stephen

Please check for our portfolio.

All items was approved from problem prettyPhoto but now another person can not see our theme.

http://themeforest.net/user/Opal_WP/portfolio

Only my account see it.

Let check for us. Thanks and have a nice day!

Vivaco · July 10, 2015, 9:40am

StephenCronin said
Vivaco said
Well that’s ridiculous, guys we have updated the prettyphoto bug 2 weeks ago, added “PrettyPhoto XSS fix” string in review comment section and then bam! Today we got our WP theme http://themeforest.net/item/startuply-multipurpose-startup-theme/9055667 disabled and customers are writing to my email in rage. Sales are slow this time of year for most of us and now this… how could it happen?

Hey Vivaco,

Sorry for that! I see we’ve now re-enabled it. Please accept our apologies.

Cheers,
Stephen

well ok, it happens… thanks for the fast resolution

onokazu · July 10, 2015, 10:34am

My plugins have been disabled for almost a day due to prettyphoto vulnerability. I have submitted the files again for review however its taking a lot more time than usual, almost 23 hours now. Can you please take a look since our plugin does NOT include prettyphoto files nor use them. We just check for the existence of $.fn.prettyPhoto so that we can add CSS classes for prettyPhoto effect.

By the way, we did re-submit the plugins after the vulnerabilities were found but did no upload any new package files, since we had no files to change in the current package.

StephenCronin · July 10, 2015, 10:44am

dbcinfotech said
Hi,
PrettyPhoto was included in my admin side theme. But it was not used on any of my script. My whole portfolio is now soft disabled. I have already changed and submitted all the files for review 18 hours ago. Still my items has not been approved. Can you tell us how long it will take to approve the items. I have 1300+ sales. My buyers are panicking and sending constant emails to us, because they are thinking we have shut down the product.

A answer would be helpful.

Thanks

Hi dbcinfotech,

Thanks - we’ve seen your items in the queue and will get to them soon (they do need a reviewer to check them). We’re focusing on the prettyPhoto items, but we’re starting to get quite a few of them! Hopefully it won’t take too long.

Cheers,
Stephen

StephenCronin · July 10, 2015, 11:50am

Opal_WP said
Dear Stephen

Please check for our portfolio.

All items was approved from problem prettyPhoto but now another person can not see our theme.

http://themeforest.net/user/Opal_WP/portfolio

Only my account see it.

Let check for us. Thanks and have a nice day!

Hi Opal_WP,

I can confirm that all your items are enabled, but there is some issue with the site which is preventing them being displayed properly. The individual pages are live, but are giving errors every 4 or 5 page views and they are not listed under your portfolio.

I have asked the tech support team to investigate this. Hopefully they will be able to resolve this soon.

Cheers,
Stephen

Nunforest · July 10, 2015, 5:51pm

Is any reviewer online to enable our updated items, cause they are 8 hours in queue,

Ivor · July 10, 2015, 6:31pm

Nunforest said
Is any reviewer online to enable our updated items, cause they are 8 hours in queue,

Yep, we’re here.

Nunforest · July 10, 2015, 7:23pm

Ivor said
Nunforest said
Is any reviewer online to enable our updated items, cause they are 8 hours in queue,

Yep, we’re here.

Thanks Ivor, can you enable some of our disabled items, we updated prettyphoto.

Artureanec · July 10, 2015, 8:22pm

StephenCronin said
Artureanec said
Hi! How is it applies to PSD templates?

I got an email from Envato:

Unfortunately your item LF - One Page Multi Purpose PSD Theme has been disabled from ThemeForest. Here’s some feedback from our Review team on why it was disabled.

Item soft-disabled because it uses an insecure version of the prettyPhoto jQuery library as outlined here: http://themeforest.net/forums/thread/security-vulnerability-affecting-prettyphoto-jquery-script/181180

Please make the required changes to your item and resubmit for re-review at http://themeforest.net/item/lf-one-page-multi-purpose-psd-theme/edit/5873014

Maybe I do not understand? Explain, please!

Thanks!

Hi Artureanec,

I checked for you and found prettyPhoto is inside this file:
HTML\js\jquery-packed_plugins.js 
It’s version 3.1.5 - can you please update this to 3.1.6 and resubmit? Thanks.

Cheers,
Stephen

Stephen but it’s psd theme