[wp-hackers] Security at Wordpress
Brian Layman
Brian at TheCodeCave.com
Fri Apr 21 21:49:36 GMT 2006
> I'm not sure what you mean by this but if you would withhold
> information, I think that would be somewhat antiproductive, wouldn't
> it?
Yes, and that will be the point of my not going into a lot of detail.
I am very disturbed by what I've found and there are repercussions far
beyond WP.
I can say that openly because I'll be assumed to be a crank and braggart.
The nonce solution that Owen proposed will adequately protect WP from my
approach. Therefore I don't have to give a "how-to tutorial" of an exploit
that could be adapted to attack any non-compiled, non-nonced, non-customized
web application out there.
With the problem already solved, I need only provide an example url that can
be used to demonstrates the current vulnerability and prove that updated
blogs are protected.
Sorry if that bothers anyone, but I'm not budging on this one. I'll likely
disclose more to Matt as I at least have read his blog for that last couple
years a know at least a little about his presented character. Then he can
judge beyond that. No offense, but the rest of you are just names at this
point. :)
_______________________________________________
Brian Layman
www.TheCodeCave.com
More information about the wp-hackers
mailing list