[wp-hackers] Is disabling remote client access a good idea?

DD32 wordpress at dd32.id.au
Wed Jun 25 04:51:08 GMT 2008 

On Wed, 25 Jun 2008 14:32:27 +1000, Daniel Jalkut <jalkut at red-sweater.com>  
wrote:
> It does seem a bit arbitrary to me, to call out these two URLs, the
> ones corresponding to AtomPub and XMLRPC, and treating them as if
> they're in some way more vulnerable to attacks than all the other URLS
> in the blog system.

The way they've been more vulnerable in the past has not been checking the  
username/password, but rather, if the user could perform the action AFAIK.
(Eg, A Subscriber signs up, can pass the user login stage, Next is  
checking that the user has all the permissions to do a certain action, In  
the admin section, this is pretty complicated, Then you need to duplicate  
all the security checks in XMLRPC.. etc)

A lot of the XMLRPC/Atompub code has only been looked over by a small  
number of eyes, Most of us do not have a clue about it, dont use it, and  
steer clear of it.. Because of that, Less Developers look at the code, and  
as a result, less chance that a bug will be caught.

If there was the same ammount of active development on both the API and  
use of the API was there is for the main admin panel, I'd say leave it  
enabled by default, But fact is, the API's are used by a rather small  
minority of users, Just as a lot of other functions, The difference here  
however, Is that if the API is *not* going to be used at all by the  
majority, Why leave it enabled when theres a chance something might come  
along and exploit it?

Yes; Theres chances something will come along and exploit the main admin  
panel too, But thats a chance that has to be taken - as the majority of  
users use it.

And IMO, The code needs a good lice comb run through its hair to check for  
any more bugs; Theres a number of code branches in there which seem  
utterly pointless to me, checks being run twice(Just to be sure), and  
quite possibly, some which call admin functions without first checking for  
the *right* permissions; Ie. Its checking for a permission, But there may  
be race conditions where the role manager has assigned a lesser user  
access to that function, Or maybe a user will be granted access to a post  
if claiming its a page, etc.

No disrespect meant towards anyone who has done work on the XMLRPC/Atom  
API's, We're all human and may miss something, or type something wrong.

More information about the wp-hackers mailing list