[wp-hackers] Plugin update & security / privacy
viper at viper007bond.com
Sun Sep 23 10:52:41 GMT 2007
Your logic is flawed. You assume that someone looking to exploit won't
attack the latest version. This is usually untrue. If a serious exploit is
found, hackers usually just Google for "WordPress" (it's already on your
site for "powered by WordPress") or like wp-login.php and then attempt to
exploit it, regardless of version. If some database somewhere somehow did
get leaked, then all it'd do is just make the hackers job easier -- it
wouldn't enable them.
And by checking for an update, your server's IP address is sent
automatically. It wouldn't be hard to reverse lookup that IP.
Simply put, if you really insist on wearing a tin foil hat, it's uber easy
to disable the automatic update checker. For the other 99.99999% of people
out there, this feature will be a godsend to them in both terms of new
features and more importantly, the _only_ real way to make sure your site
doesn't get hacked -- by running the latest version.
On 9/23/07, Moritz 'Morty' Strübe <morty at gmx.net> wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
> find WP-Blogs via google. But imagine have them all nicely in a database
> - All of them. Including version, plugins and so on. If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!
> -> update.php:85 $http_request .= 'User-Agent: WordPress/' .
> $wp_version . '; ' . get_bloginfo('url') . "\r\n";
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
Viper007Bond | http://www.viper007bond.com/
More information about the wp-hackers