[wp-hackers] Plugin update & security / privacy

Mark Jaquith mark.wordpress at txfx.net
Sun Sep 23 17:48:34 GMT 2007

On Sep 23, 2007, at 5:35 AM, Moritz 'Morty' Strübe wrote:

> I know this will not change until Monday, but is it really  
> necessary to
> transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
> find WP-Blogs via google. But imagine have them all nicely in a  
> database
> - All of them. Including version, plugins and so on. If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!
> -> update.php:85     $http_request .= 'User-Agent: WordPress/' .
> $wp_version . '; ' . get_bloginfo('url') . "\r\n";

I don't know, but I'm trying to find out.  It seems unnecessary to  
me.  And it definitely works without it (or with a different --  
anonymous -- string).  Matt wrote that code, so I'll try to get a  
hold of him today.

Mark Jaquith

Covered Web Services

WordPress Ninja @ b5media Inc

More information about the wp-hackers mailing list