[wp-hackers] xmlrpc issue or no?

[Jared Bangs]

On Feb 2, 2008 4:55 AM, chays <whoooo at gmail.com> wrote:

> Someone might want to address the post by duskglow, that begins with "Ah,
> heck. I think this bug is being actively exploited, .."
>
> http://wordpress.org/support/topic/134928/page/2#post-686503
>

I think "whooami" did a decent job in responding so far.

It seems to me that if there's anywhere that "we" (WP dev/hacker community)
dropped the ball, it's the period of time between 12/12/2007 (when trac
ticket #5313 was closed) and 2/2/2008 (when it was reopened after an exploit
had been published).

Judging by the timeline illustrated by that ticket's history, in combination
with the ongoing discussion in the linked support forum thread insisting
that the threat was real, there is a nearly two month period of time in
which potentially no one was looking at this very closely. I could be wrong
on that, and maybe people were working hard behind the scenes and just not
finding anything, but it seems to me (after looking at the exploit) that one
of us should have been able to definitively confirm or deny that issue
within the last four months.

It's easy for me to say that, since I obviously didn't take the time to look
into it either, but I think maybe we should at least acknowledge this
situation as a mistake and resolve to learn from it.

As to the age old debate on whether full disclosure is appropriate or not,
the trac ticket history in this case again gives evidence to its "effective
motivating value" (for lack of a better term): closed on 12/12 for lack of
POC, reopened and quickly fixed on 2/2 when the POC code was released. Of
course, he could have / should have sent the POC exploit in privately, but
it's just surprising to me that none of us was able to reproduce it without
the exploit in these last four months.