[wp-hackers] Security at Wordpress

Ryan Duff ryan at ryanduff.net
Fri Apr 21 22:39:25 GMT 2006

Elliotte Harold wrote:
> Brian Layman wrote:
>> The nonce solution that Owen proposed will adequately protect WP from my
>> approach.  Therefore I don't have to give a "how-to tutorial" of an 
>> exploit
>> that could be adapted to attack any non-compiled, non-nonced, 
>> non-customized
>> web application out there.
> If it's really that bad, I'd suggest you publish it because no one 
> person is going to be able to fix all the web apps out there.
> However, I suspect what you've discovered is the well-known problem 
> where GET is used for operations with side effects, a common flaw in web 
> apps designed by people who don't understand HTTP. While not as widely 
> known as it should be (which is why further publicity would be a good 
> thing) it's hardly a new attack. It's certainly known to 
> web-app-attackers everywhere. Being quiet about it only helps the black 
> hats who already know.

Nobody here is trying to fix all the web apps. Just one. Seriously, are 
you done hyping whatever was found?

Ryan Duff
AIM: ryancduff
irc.freenode.net #wordpress #plogger

More information about the wp-hackers mailing list