[wp-hackers] Is disabling remote client access a good idea?
ryanmccue at cubegames.net
Wed Jun 25 10:02:36 GMT 2008
> The way they've been more vulnerable in the past has not been checking
> the username/password, but rather, if the user could perform the
> action AFAIK.
> (Eg, A Subscriber signs up, can pass the user login stage, Next is
> checking that the user has all the permissions to do a certain action,
> In the admin section, this is pretty complicated, Then you need to
> duplicate all the security checks in XMLRPC.. etc)
In my opinion, this just means that we need more regression testing,
especially for XML-RPC. If we had automated regression testing, then
this would not be a factor.
More information about the wp-hackers