SuperMint

Advanced Search

Revo Slider security alert from Envato (Couple months old - just found it)

Permalink Browser Info Environment
There's a security alert from Envato regarding the Revo Slider on Wordpress. Does this affect our version? if so, please advise on how to patch.

Link to advisory below:
http://marketblog.envato.com/news/plugin-vulnerability/...

Thank you for your assistance.
-Dave
Type: Discussion
Status: In Progress
Solarnomics
View Replies:
sebastienj replied on at Permalink Reply
sebastienj
Yes, it seems that the plugin is vulnerable. This slider will be not included in the next uptade of supermint. They are no patch for this addon adapted for c5.
web089 replied on at Permalink Reply
web089
HI Seb,
I bought this this theme with the revslider 3 times.
What about fixing in that issue? You should already doing something.
Solarnomics replied on at Permalink Reply
Solarnomics
Glad someone else spoke up about this! Maybe the C5 PRB should weigh-in on this?
To be left to hang in limbo like this isn't what I expected from Seb or C5. How can we promote C5 when security holes are left unattended?

Seb, what do you advise?

-Dave
sebastienj replied on at Permalink Reply
sebastienj
PRB have nothing to do here because the slider was sold on Envato MarketPlace. this mention is written on the Supermint Market page.
I can't solve the issue on revslider. all apologies.
web089 replied on at Permalink Reply
web089
Seb, you are the developer of that theme that comes together with the revslider and in that case your are the responsible (re-) seller. I think it´s up to you to solve that security issue.

G.
Solarnomics replied on at Permalink Reply
Solarnomics
Seb, ...but you're going to issue a patch, right?

I found the link below which describes the fix for WP, I tried it verbatim with your theme without success, the pages with Revo slider wouldn't load, among other things like not being able to log into my site. Maybe you could take a look and adapt this to your theme. Please.

http://johnbuckner.com/wordpress-slider-revolution-security-vulnera...

Thanks in advance,
-Dave

concrete5 Environment Information

# concrete5 Version
5.6.3.1

# concrete5 Packages
Amiant Image Gallery (0.7.3.1), Are You A Human (1.0.1), Automatic Email Obfuscator (1.2.3), Background Image (1.0), Black Accents (2.0), Breadcrumbs (2.0), Clicky Web Analytics (1.3.2), Designer Content (3.1.1), Dynamic Iframe (1.7), Easy Accordion (1.1.2), Easy tabs (1.7.2), Fancy Image Links (1.3.8), Form Tableless Layout (1.2.1), Galleria image gallery (2.0), Gallery (1.8.1), Global Areas (1.0), Image Caption (1.5.1), Login (1.1.1), Magic Heading (1.3), Mega Menu (1.5.30), MindNet Browser Update Notification (1.1), New Colours : Testimonials & Quotes (0.9.0), Nivo Slider (2.0.1), Pictures Gallery (1.1.2), Power Slider Lite (1.1.1), reCAPTCHA (0.9.2), Revolution Slider (2.3.8), Roundabout Gallery (2.2.1), Social Icons Reloaded (2.0), Sortable Fancybox Gallery (1.17), Sortable Responsive Gallery (1.5), SuperMint Theme (2.0.7.2), Transparent Email Obfuscation (1.0.3), VR Tabs Lite (0.9.8).

# concrete5 Overrides
blocks/roll_goods_products, elements/navigation, js/ccm.app.js, css/supermint.css.media, css/supermint.css.deleteme, css/supermint.css.july23, css/supermint.css.orig, css/supermint.css.jul28, css/supermint.css, single_pages/contactform.php, themes/greek_yogurt_custom, themes/ARS2_black_accents, themes/ARS_black_accents, themes/basic_bootstrap

# concrete5 Cache Settings
Block Cache - On
Overrides Cache - On
Full Page Caching - On - In all cases.
Full Page Cache Lifetime - Only when manually removed or the cache is cleared.

# Server Software
Apache

# Server API
cgi-fcgi

# PHP Version
5.4.34

# PHP Extensions
bcmath, bz2, calendar, cgi-fcgi, Core, ctype, curl, date, dba, dom, enchant, ereg, exif, fileinfo, filter, ftp, gd, gettext, gmp, hash, iconv, imagick, imap, intl, json, ldap, libxml, mbstring, mcrypt, mhash, mysql, mysqli, odbc, openssl, pcntl, pcre, PDO, pdo_dblib, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, readline, recode, Reflection, session, shmop, SimpleXML, soap, sockets, SPL, sqlite3, standard, sysvmsg, sysvsem, sysvshm, tidy, tokenizer, wddx, xml, xmlreader, xmlrpc, xmlwriter, xsl, Zend Guard Loader, zip, zlib.

# PHP Settings
max_execution_time - 30
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 60
max_input_vars - 1000
memory_limit - 128M
post_max_size - 50M
sql.safe_mode - Off
upload_max_filesize - 50M
ldap.max_links - Unlimited
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
odbc.max_links - Unlimited
odbc.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
pgsql.max_links - Unlimited
pgsql.max_persistent - Unlimited
session.cache_limiter - nocache
session.gc_maxlifetime - 7200
soap.wsdl_cache_limit - 5

Browser User-Agent String

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You may not request a refund that is not currently owned by you.