[wp-forums] Security expert posting exploits

Wed Jan 30 22:43:01 UTC 2013

Thank you again.

Whan i warn, i do not give the full expoit, i say "XSS, you have to
sanitize" and "CSRF use nonce please", then if the author feign death, i
mail plugins at wp.org but in major cases, the author is happy to be warned.

Have a nice day/night

*Julio POTIER
BLOG.boiteaweb.fr <http://blog.boiteaweb.fr>*
*SECU.boiteaweb.fr <http://secu.boiteaweb.fr/>*
*"La sécurité, c'est notre métier*"

Tél : 06 89 38 19 04
Twitter : @BoiteaWeb <http://twitter.com/#%21/boiteaweb>
Skype : *julio.boiteaweb*

2013/1/30 Jan Dembowski <jan at dembowski.net>

> Good Evening Julio! I was sure that you subscribed to this list.
>
> I personally do not have any issue with your posting plugin notifications
> like that. Others may chime in in that topic.  ;)
>
> If it's a critical plugin vulnerability then yes, please report the issue
> to plugins at wordpress.org. I think you can tell the difference between XSS
> and being able to write and execute arbitrary code on demand on a WordPress
> installation...
>
> The hire proposal was the "Not Good" part and I'm glad you won't do it
> again.
>
> Thanks,
>
> Jan Dembowski
>
> On Wed, Jan 30, 2013 at 5:28 PM, Julio Potier - BoiteaWeb <
> juliobosk at gmail.com> wrote:
>
> > Hello
> >
> > In past, "you" told me that i can post it to the author, then to
> > plugins at wp.org, now do not post, for real, what is the thing ?
> >
> > For the hire proposal, sorry, i won't do it again.
> >
> > Thank you
> >
> > 2013/1/30 Jan Dembowski <jan at dembowski.net>
> >
> > > On Wed, Jan 30, 2013 at 5:09 PM, Mark Ratledge wrote:
> > >
> > > > User "I'm Julio Potier, Web Security Consultant and WordPress Expert
> "
> > is
> > > > posting that plugins have security holes, i.e.
> > > > http://wordpress.org/support/topic/security-issue-22?replies=1
> > > > http://wordpress.org/support/topic/security-flaws?replies=1
> > > >
> > >
> > > He does that. I think I've asked him in the past to contact that plugin
> > > authors more directly and he'd replied that the plugin author is not
> > > reachable. Just publicly notifying like that isn't bad really IMHO.
> > >
> > >
> > > > and posting for hire
> > > >
> > >
> >
> http://wordpress.org/support/topic/my-website-is-showing-hacked-message-what-should-i-do?replies=3&view=all
> > > >
> > > > http://wordpress.org/support/profile/juliobox
> > >
> > >
> > > Now THAT'S bad and I've b'coded his account for now.
> > >
> > > He didn't even try to post the standard "what to do if you've been
> > hacked"
> > > reply. It's a self-help forum and while we do sometimes reply with
> "seek
> > > professional help" he really should have at least made the effort first
> > > instead of zipping in "i'm Web Security Consultant, you can hire me".
> > >
> > > I think this came up a couple of days ago and I agree with Mika: trying
> > to
> > > help people out and pointing out that you do that sort of work is
> > > not necessarily a bad thing. But you really need to assist in the
> forums
> > > first or at least exhaust some of the self-help alternatives. It's not
> > just
> > > going through the motions, the volunteer work should be primary and
> > > self-promotion a distant second.
> > >
> > > Thanks,
> > >
> > > Jan Dembowski
> > > _______________________________________________
> > > wp-forums mailing list
> > > wp-forums at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-forums
> > >
> > _______________________________________________
> > wp-forums mailing list
> > wp-forums at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-forums
> >
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums
>