[wp-forums] Security Alerts
Lorelle VanFossen
lorelle at cameraontheroad.com
Wed Aug 10 14:04:58 GMT 2005
Okay, I've been busy this morning collecting and posting information
from the "experts" on the issue but it brings up some other questions.
First, the issue.
Security Issue: http://secunia.com/advisories/16386/
WordPress Forum first post: http://wordpress.org/support/topic/41464
From #wordpress IRC chat:
DrBacchus says: Nobody should have register_globals enabled. Yes, it's
icky and the bug should be fixed, but the responsibility also lies with
the server admin. register_globals is the devil.
relle DrBacchus: could a plugin turn on the globals?
DrBacchus relle: it can be turned on in a .htaccess file, so,
presumably a plugin could do that.
Fix: In .htaccess add a line for php_flag register_globals off
The info is still new though the issue is "old" and more information
will be coming out during the day.
SECOND ISSUE
What has been the policy and proceedure and method of handling such
security alerts and warnings? Unfortunately, many times they are posted
by people who rage on with concerns and worries and negative talk and
then we respond. It's then up to the experts and forum volunteers to
calm, inform, and sometimes censor the talk when appropriate.
How should these issues be dealt with? Are there sites which announce
such security alerts that need to be monitored so we can be better
informed? Is it better that "we" post first than just wait for someone
to panic? How do we get these things confirmed and know if this is valid
or just a scare? I'm sure you all have more questions and we all need
answers to how this should work.
Lorelle
More information about the wp-forums
mailing list