XSS vulnerability in Timber debugger?
-
I’ve been contacted by one of the many “white hat” hackers out there pointing to an XSS vulnerability on my site. Apparently the debugger is publicly visible and the URLs he has sent me to prove it all display Timber errors as shown in this image:
https://postimg.org/image/2eluvesfmj/
His specific message to me was this:
———————-
So there is an open debugger accessible for the whole wide world which is having an XSS issue and leaking your servers and php data:I recommend to disable debug mode asap and if you see any confidential things like passwords or keys leaked to change them immediately.
——————————-Is this a Timber issue or is it something inside WP in general? I am using Gantry with a RocketTheme template (Helium). I’d rather not send the real URL to the page as if this is indeed a vulnerability that can be exploited I don’t want it publisized until it can be fixed…
-
Hi,
I just replied to your topic in the RocketThemes forum. This page is a Whoops (https://github.com/filp/whoops) error page that helps us debug code issues. It doesn’t contain any sensitive data. Me and other RocketTheme employee weren’t able to replicate or confirm the possible XSS issue. Nevertheless I asked you in our forums if you could please provide us in a safe way your site address/ftp so I could check your files.
Thank you!
Jakub
- The topic ‘XSS vulnerability in Timber debugger?’ is closed to new replies.
