[wp-hackers] xmlrpc issue or no?
chays
whoooo at gmail.com
Sat Feb 2 21:47:10 GMT 2008
Well thanks Jared, since I'm whoami :P
Fwiw, the discoverer of the problem and the POC (atleast not the one thats
on my site and is functional [it's actually an exploit]) didnt come from the
same source. Not that that matters, but I wanted to make that clear. I wont
express my frustration here since I think it's clear within the actual
thread how I feel....
On Feb 2, 2008 4:16 PM, Jared Bangs <jared at pacific22.com> wrote:
> On Feb 2, 2008 4:55 AM, chays <whoooo at gmail.com> wrote:
>
>
> I think "whooami" did a decent job in responding so far.
>
> It seems to me that if there's anywhere that "we" (WP dev/hacker
> community)
> dropped the ball, it's the period of time between 12/12/2007 (when trac
> ticket #5313 was closed) and 2/2/2008 (when it was reopened after an
> exploit
> had been published).
>
> Judging by the timeline illustrated by that ticket's history, in
> combination
> with the ongoing discussion in the linked support forum thread insisting
> that the threat was real, there is a nearly two month period of time in
> which potentially no one was looking at this very closely. I could be
> wrong
> on that, and maybe people were working hard behind the scenes and just not
> finding anything, but it seems to me (after looking at the exploit) that
> one
> of us should have been able to definitively confirm or deny that issue
> within the last four months.
>
> It's easy for me to say that, since I obviously didn't take the time to
> look
> into it either, but I think maybe we should at least acknowledge this
> situation as a mistake and resolve to learn from it.
>
> As to the age old debate on whether full disclosure is appropriate or not,
> the trac ticket history in this case again gives evidence to its
> "effective
> motivating value" (for lack of a better term): closed on 12/12 for lack of
> POC, reopened and quickly fixed on 2/2 when the POC code was released. Of
> course, he could have / should have sent the POC exploit in privately, but
> it's just surprising to me that none of us was able to reproduce it
> without
> the exploit in these last four months.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list