[wp-hackers] Plugin update & security / privacy

Omry Yadan omry at yadan.net
Sun Sep 23 08:52:13 GMT 2007


1. no need to even send the version to know there is a need to update 
(just get the latest version number and compare to the current version).

2. if wp send information about the blog, the users should be aware of 
this and be able to turn it off. this is a bad publicity bomb waiting to 
go off.


Moritz 'Morty' Strübe wrote:

> I know this will not change until Monday, but is it really necessary to
> transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
> find WP-Blogs via google. But imagine have them all nicely in a database
> - All of them. Including version, plugins and so on. If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!
>
> -> update.php:85     $http_request .= 'User-Agent: WordPress/' .
> $wp_version . '; ' . get_bloginfo('url') . "\r\n";
>
> Cheers
> Morty
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>   



More information about the wp-hackers mailing list