[wp-hackers] List etiquette

Ryan Duff ryan at ryanduff.net
Thu Apr 20 17:28:25 GMT 2006

Brian Layman wrote:
> I'd like the opinions of the PTB (powers that be), on this list, regarding
> an etiquette issue.
> You saw that I'd posted that "proof of concept" link.  I'm new here and
> really don't know the rules of how this list is run.  So, I'd like to know:
> 1. Should I have posted it or not?  I'd mailed a more functional one to
> Matt.  Should I have kept my mouth shut at that point?
> 2. Once people know that something has been done, others will try it repeat
> it.  Should I have even mentioned that I had proved what we were discussing
> was more than just theory?
> 3. Did I provide too much detail on the approach, or would it perhaps have
> been alright to provide further detail?
> 4. The archive of this discussion is public.  Given that, would it be
> unreasonable (pronounced harmful) to echo that post onto my blog?  My blog
> is intended as a archive of neat technical stuff I've played with.  This
> definitely qualifies.
> 5. The fact that I could mask the attack as a viable link when outside of
> the admin area was, I think, a clever idea.  Should I have kept that to
> myself even though it highlights the danger?
> 6. This link was rather limited in its danger.  If the attack I'd found
> imposed a much greater risk, would that change any of the above?
> 7. If I decide to attempt to prove cookies are vulnerable, should I mention
> any positive (or negative) results?  That could figure into the nonce
> implementation design.  I've not responded to anyone's questions "Am I
> missing something here?" Though I've read that stealing cookies is possible,
> I've not seen discussions of how it is done.  That makes it more likely that
> it is just rumor or no longer an issue.  If it is possible, that could
> eliminate a whole avenue of discussion here.  That's why I am asking these
> questions.  If I figure anything out, what should I do with that knowledge?
> 8. People will Google for the name of an attack and WordPress.  Should we be
> careful using the names of these attack methods in these threads?
> Thank you for your thoughts on these issues...
> _______________________________________________
> Brian Layman
> www.TheCodeCave.com

Since you said that you tested and your proof of concept worked, it 
probably would have been better to directly send that information to 
Matt and Ryan Boren via the security at wordpress.org address.

Ryan Duff
AIM: ryancduff
irc.freenode.net #wordpress #plogger

More information about the wp-hackers mailing list