[wp-hackers] xmlrpc issue or no?

Lloyd Budd lloydomattic at gmail.com
Sun Feb 3 02:31:20 GMT 2008


On Feb 2, 2008 5:39 PM, Jared Bangs <jared at pacific22.com> wrote (and I trimmed):
>
> I wasn't saying we overlooked any evidence, just that we didn't follow up on
> it as well as we could have.

The perception that WordPress has a poor security record is an issue
close to my heart.

I'm not not certian what should have been followed up on? whooami and
otto42 and others were proactive and tried to get additional
information and pursue the issue. Maybe, could you provide an timeline
with people's actions describing how the issue could have been pursued
more proactively?

My feeling is there probably isn't many specific insights in this
scenario, but you are correct there is great opportunity to contribute
to WordPress' security profile.

I imagine more interesting is analysing characteristics of individual
and classes of WordPress security problems to see if there are more
lurking, opportunity for programmatic protection, or training.

Unfortunately, for me, I have little programming juice, and none in security.

Aside, I find http://blogsecurity.net/ awkward participation, because
I don't think I've ever seen a reference to a trac ticket number in
any of the posts, or updates when issues are resolved.


> My simple point was that if
> more of "us" in the WP dev community looked more closely at this issue I
> believe that the root cause would have been discovered. Of course, that's
> easy to say in hindsight, but since there are a limited number of places in
> the code where a post can be modified like this (outside of SQL injection,
> etc.) we theoretically could have found this one if we had enough people
> seriously looking for it, IMHO.

That is no more or less true than any other exploit discovered or yet
to be discovered. There is only a short list of goals of compromising
a system.


> Perhaps more of us can dedicate our time to this type of stuff instead of more
> "user facing" / recognizable stuff like adding more features.

I don't think there is any excess of people working on "user facing"
stuff either unfortunately.

Are there specific things that you are now working on related to this now?

Thanks,
Lloyd


More information about the wp-hackers mailing list