Security Vulnerability Affecting prettyPhoto jQuery Script

KrownThemes said

We’ve also updated two other items - only one remaining :slight_smile:

Great - we’re holding off getting started disabling until Monday Australian time.

Cheers,
Stephen

@StephenCronin

See our visual composer Prestashop version was update june 25

"Approved
we have update our visual composer with new features and also update “prettyPhoto XSS fix”

Posted June 25, 2015"
"

But why it was disabled? where our library is
"/* ------------------------------------------------------------------------
Class: prettyPhoto
Use: Lightbox clone for jQuery
Author: Stephane Caron (http://www.no-margin-for-errors.com)
Version: 3.1.6
"

smartdatasoft said

@StephenCronin

See our visual composer Prestashop version was update june 25

"Approved
we have update our visual composer with new features and also update “prettyPhoto XSS fix”

Posted June 25, 2015"
"

But why it was disabled?

Hi Smartdatasoft,

We missed marking this as updated. It’s been re-enabled now. Apologies for the inconvenience.

Cheers,
Stephen

Thank you very much :slight_smile:

Stephen I got 2 codecanyon items disabled! They have been updated 10 days ago. Can you please check them. Thank you!

Hi All,

We have now disabled all items not marked as updated. This was done about an hour or two ago.

There have been a couple of cases so far of items that were updated and which had the correct note to reviewer, but which hadn’t been marked as updated by us - so they were disabled as a result.

Unfortunately, in this case, where we are dealing with thousands of items, there will be an element of human error on our part. We understand that this is extremely inconvenient for authors and may lead to lost revenue, confusion amongst your buyers, etc, so we apologise if this happens to you.

If it does happen to you, please leave a note here and we will re-enable your item as quickly as possible. I will ask the reviewers to monitor this forum post, so this will be the quickest way to get re-enabled. To help us do this more quickly, please leave the name of the items that are affected.

Once again - apologies if this happens to you. We’ll work on improving the system so that we can minimise this problem next time around.

Cheers,
Stephen

@Stephen - two of our themes were wrongly disabled after being updated. I even contacted support a week ago to notify you, yet I may as well have been pissing in the wind. What an absolute joke.

  • Swift Ideas
CrayThemes said

Stephen I got 2 codecanyon items disabled! They have been updated 10 days ago. Can you please check them. Thank you!

Hi CrayThemes,

Sorry - we’ve now re-enabled them…

Cheers,
Stephen

Hi Stephen,

My 13 items were disabled, some of them are not right, I have updated previous few days or a week, and it has been updated to the latest version.
It’s not fun when you do not consider and disable them. Please help me check it.

Thank you!

Hi Stephen, I have the same issue with SwiftIdeas! Two of my updated items disabled.

SwiftIdeas said

@Stephen - two of our themes were wrongly disabled after being updated. I even contacted support a week ago to notify you, yet I may as well have been pissing in the wind. What an absolute joke.

  • Swift Ideas

Hi SwiftIdeas,

Are you talking about Pinpoint and Supreme?

Do you have a ticket number from contacting support? I haven’t actually seen the ticket, so I’d like to work out why it didn’t come through.

What I can see is that in both cases you added the note “SECURITY FIX” rather than “prettyPhoto XSS fix” as we requested. We probably should have picked that up, although some of our techniques involve scanning for items with that exact phrase in the notes, which is why we repeatedly asked people to use that exact phrase.

Also, in the case of both those themes, even though you added the note “SECURITY FIX”, both items still contained version 3.1.4 of prettyPhoto and both updates were rejected with the note “Reason: Please update Visual Composer Plugin to version 4.5.3.” and you don’t seem to have submitted an update until about 20 minutes ago.

Anyway, apologies for the inconvenience. We’ll try to review the updates ASAP and the get the items re-enabled.

Cheers,
Stephen

StephenCronin said
SwiftIdeas said

@Stephen - two of our themes were wrongly disabled after being updated. I even contacted support a week ago to notify you, yet I may as well have been pissing in the wind. What an absolute joke.

  • Swift Ideas

Hi SwiftIdeas,

Are you talking about Pinpoint and Supreme? …
Cheers,
Stephen

That’s correct, I submitted those immediately after they were disabled, before I saw your comment here. They are exactly the same zips as the previous submitted update files.

We submitted all updates at the same time on day of the notice (before the requirement to provide a specific update text), each with the exact same text, yet those were the only two that were wrongly picked up. So the text I wrote has nothing to do with that.

As I said I brought this to support’s attention on JUNE 30TH, and received the reply: “If you have already submitted an update, you can omit the notice.”

TICKET # 247624

  • Swift Ideas

My items has been disabled with the reason that I am using prettyPhoto, whereas none of my items include PrettyPhoto. I have resubmitted the items as it is. Please help !

Hi Stephen,

I have updated all item that you disable, some items are the latest version update. Some of them do not include prettyPhoto, I have noted it when resubmit. Please help me asap, nearly all of my products were you disabled.

Thank you!

As per the email, my themes do not have “prettyPhoto” nor a reference of it and it contains Visual composer version 4.5.3, so as per the mail my themes are complaint on both parameters and still are disabled.

@Stephen - thanks for getting them re-approved, apologies for the tone, but I’m sure you can imagine the frustration due to the amount of time wasted.

  • Swift Ideas
SwiftIdeas said
StephenCronin said
SwiftIdeas said

@Stephen - two of our themes were wrongly disabled after being updated. I even contacted support a week ago to notify you, yet I may as well have been pissing in the wind. What an absolute joke.

  • Swift Ideas

Hi SwiftIdeas,

Are you talking about Pinpoint and Supreme? …
Cheers,
Stephen

That’s correct, I submitted those immediately after they were disabled, before I saw your comment here. They are exactly the same zips as the previous submitted update files.

We submitted all updates at the same time on day of the notice (before the requirement to provide a specific update text), each with the exact same text, yet those were the only two that were wrongly picked up. So the text I wrote has nothing to do with that.

As I said I brought this to support’s attention on JUNE 30TH, and received the reply: “If you have already submitted an update, you can omit the notice.”

TICKET # 247624

  • Swift Ideas

Hey SwiftIdeas,

Thanks for the ticket number. I’ve had a look at that and you were given the wrong advice (after previously being given the right advice, but they should have stuck to that, instead of changing the advice) - so sorry for that!

For most of your items, we picked up the “SECURITY FIX” note, but we missed it for two. However we also utilised some cross-checking scripts at various points and there was no chance of those 2 items being found by that.

I can’t easily double check the zips from last time because they were rejected, but anyway, those two themes are now live again. Apologies for the inconvenience.

Cheers,
Stephen

SwiftIdeas said

@Stephen - thanks for getting them re-approved, apologies for the tone, but I’m sure you can imagine the frustration due to the amount of time wasted.

  • Swift Ideas

Sorry, just cross-posted.

Anyway, no worries - I totally understand the frustration! Sorry if I had a tone too - it ain’t always easy on this side of the fence either! But it’s all good. :slight_smile:

jlvextension said

Hi Stephen,

My 13 items were disabled, some of them are not right, I have updated previous few days or a week, and it has been updated to the latest version.
It’s not fun when you do not consider and disable them. Please help me check it.

Thank you!

Hi jlvextension,

I see you’ve updated a couple of items - thanks! We’ll review them as soon as possible.

With many other items, you say that they do not include prettyPhoto - but they actually do. I haven’t checked all of them, but using LUV | Responsive One Page Wedding Template as an example, prettyPhoto is inside the following files:

  • luv_template_only_j3.4.1.zip\template\js\jquery.content_slider.min.js
  • luv_kickstart_package_j3.4.1.zip\templates\luv\js\jquery.content_slider.min.js

In that case it is included in the slider. You will either need to see if the slider has updated to the latest version of prettyPhoto, or work out how to update it yourself.

As I said I haven’t checked all the other items, but if they have been disabled, then we did find prettyPhoto in the item zip file somewhere. I recommend you go through each of those items and use grep or a similar tool to search for instances of “.fn.prettyPhoto”. Thanks.

Cheers,
Stephen

stmcan said

Hi Stephen, I have the same issue with SwiftIdeas! Two of my updated items disabled.

Hi stmcan,

Sorry - I’ve checked and re-enabled those two themes for you now. Apologies again!

Cheers,
Stephen