[wp-hackers] XMLRPC rework

Lloyd Budd lloydomattic at gmail.com
Thu Aug 30 17:35:01 GMT 2007


On 8/30/07, Alexander Concha <alex at buayacorp.com> wrote:
> Hello Folks.
>
> I think WP's XMLRPC server needs more attention because it has some
> buggy methods and by default allows to gather useful information to
> unprivileged users.

Hi Alex,

Although a very appropriate topic for this list, there is now a list
specifically for the topic: wp-xmlrpc at lists.automattic.com

>
> The following methods doesn't seem to work and because of security
> implications, I suggest remove them -- although I'm not sure if they
> were added for compatibility reasons.
>
> - blogger_getTemplate
> - blogger_setTemplate
>
> OTOH, unprivileged users (aka anyone with a subscriber role) can
> retrieve data which could be used for unknown purposes. Examples:
>
> - mw_getRecentPosts will return posts including private fields like
> post_password.
> - wp_getAuthors will return the list of users with private data (email
> and role).
>
> Any comments?
>
> Regards.
>
> PS. Sorry for my bad English.
> --
> Alexander Concha
> http://www.buayacorp.com/


More information about the wp-hackers mailing list