[wp-hackers] Is disabling remote client access a good idea?
wordpress at dd32.id.au
Wed Jun 25 04:51:08 GMT 2008
On Wed, 25 Jun 2008 14:32:27 +1000, Daniel Jalkut <jalkut at red-sweater.com>
> It does seem a bit arbitrary to me, to call out these two URLs, the
> ones corresponding to AtomPub and XMLRPC, and treating them as if
> they're in some way more vulnerable to attacks than all the other URLS
> in the blog system.
The way they've been more vulnerable in the past has not been checking the
username/password, but rather, if the user could perform the action AFAIK.
(Eg, A Subscriber signs up, can pass the user login stage, Next is
checking that the user has all the permissions to do a certain action, In
the admin section, this is pretty complicated, Then you need to duplicate
all the security checks in XMLRPC.. etc)
A lot of the XMLRPC/Atompub code has only been looked over by a small
number of eyes, Most of us do not have a clue about it, dont use it, and
steer clear of it.. Because of that, Less Developers look at the code, and
as a result, less chance that a bug will be caught.
If there was the same ammount of active development on both the API and
use of the API was there is for the main admin panel, I'd say leave it
enabled by default, But fact is, the API's are used by a rather small
minority of users, Just as a lot of other functions, The difference here
however, Is that if the API is *not* going to be used at all by the
majority, Why leave it enabled when theres a chance something might come
along and exploit it?
Yes; Theres chances something will come along and exploit the main admin
panel too, But thats a chance that has to be taken - as the majority of
users use it.
And IMO, The code needs a good lice comb run through its hair to check for
any more bugs; Theres a number of code branches in there which seem
utterly pointless to me, checks being run twice(Just to be sure), and
quite possibly, some which call admin functions without first checking for
the *right* permissions; Ie. Its checking for a permission, But there may
be race conditions where the role manager has assigned a lesser user
access to that function, Or maybe a user will be granted access to a post
if claiming its a page, etc.
No disrespect meant towards anyone who has done work on the XMLRPC/Atom
API's, We're all human and may miss something, or type something wrong.
More information about the wp-hackers