[wp-hackers] RE: A quick update on the security issue I'dmentioned today

Brian Layman Brian at TheCodeCave.com
Mon Apr 24 22:03:41 GMT 2006

Matt Mullenweg wrote:
> If the attacker is able to upload and execute a file on the server, it's 
> already far beyond where we could do anything on the WordPress level to 
> protect that site. What you describe is a pretty clever hack once things 
> are already on the server, though. Thanks for continuing to investigate 
> this.

Thanks for being cool about it, Matt.  

And I agree with your statement too: getting this stuff on the server is
next to impossible in most situations and is specifically what WordPress has
taken steps to combat.

I'm glad I did this though, because I'd thought I'd secured my semi-public
upload directory fairly well. However, I instead just proved that you can
only protect yourself from what you know about.

As the saying goes:

"If you know the enemy and know yourself, 
     you need not fear the result of a hundred battles.  
If you know yourself but not the enemy, 
     for every victory gained you will also suffer a defeat. 
If you know neither the enemy nor yourself, 
     you will succumb in every battle."
Sun Tzu's Art of War. Chapter 3 verse 18

Brian Layman

More information about the wp-hackers mailing list