Page 1 of 1

Security vulnerability in Swift 3.3.1

Posted: Fri May 23, 2008 1:06 pm
by eliothochberg
Using ShiftThis Newsletter, which uses Swift 3.3.1.

My client assures me that he has not signed into the site today.

Someone ran a smoke test, but none of us ran it. So far, it doesn't
seem to be a hack into WordPress, might be ShiftThis looking into
it, but I want to be sure it isn't in swift.

Is there a known vulnerability in swift that would allow this?

Any help is appreciated!

Re: Security vulnerability in Swift 3.3.1

Posted: Fri May 23, 2008 5:34 pm
by Chris Corbyn
Did you upload the smoke tests? This isn't a security issue in Swift if you uploaded the tests and kept them in the web root ;) The only bit you need is the lib directory.

Re: Security vulnerability in Swift 3.3.1

Posted: Mon May 26, 2008 12:28 am
by eliothochberg
Using Swift installed via ShiftThis, the smoke test is available over the web through WordPress.

Also just received 101 test message that no one officially with the site sent.

So is it installed wrong?

Do I need to deactivate the smoke test function?

Should not be there once the system is known to work?

I am very worried that I am leaving the newsletter open to some security issue.

Could someone please explain how an outside person can access this?

Thanks

Re: Security vulnerability in Swift 3.3.1

Posted: Mon May 26, 2008 2:15 am
by Chris Corbyn
It's not a function. First things first, I write Swift Mailer (a library), I don't write ShiftThis. ShiftThis is somebody else's work which uses my library.

There's a directory called "tests/smokes" somewhere inside that plugin. Delete it. Delete the entire "tests" directory actually. The only bit it needs is the "lib" directory.

Re: Security vulnerability in Swift 3.3.1

Posted: Mon May 26, 2008 3:15 am
by eliothochberg
Cool - so I can get rid of the tests directory completely, and not hurt the use of Swift Mailer.

thanks

Re: Security vulnerability in Swift 3.3.1

Posted: Mon May 26, 2008 7:42 pm
by Chris Corbyn
Correct. The tests are just a set of files for analysis. The library is independent of them :)