[wp-hackers] xmlrpc issue or no?

chays whoooo at gmail.com
Sun Feb 3 03:13:40 GMT 2008


Well, Im pissed. Why?

this, posted to the forum thread by Matt, and followed by my being banned
from the forums
"whoami, your fix does not. I would rather not have people think they're
safe and really not be, and there is a release coming shortly anyway. If
you'd like to post more to this thread please reply to the email I sent you
this morning. If  anyone is scared and wants a fix NOW, they should either
turn off registration (which is off by default) or delete xmlrpc.php.

1. the fix isnt mine. It's securiteam's.
2. Its tested, and yes, it does work, for the exploit provided.
3. I never got an e-mail you from this morning and I'll stop short of
calling you out on that fact except to say that I was at my computer most of
the day, and would NOT have missed an e-mail from you had I received it.

I think your apparent anger is a little misdirected Matt , especially given
all the dates that have been tossed about regarding this.

whoo

On Feb 2, 2008 9:31 PM, Lloyd Budd <lloydomattic at gmail.com> wrote:

> On Feb 2, 2008 5:39 PM, Jared Bangs <jared at pacific22.com> wrote (and I
> trimmed):
> >
> > I wasn't saying we overlooked any evidence, just that we didn't follow
> up on
> > it as well as we could have.
>
> The perception that WordPress has a poor security record is an issue
> close to my heart.
>
> I'm not not certian what should have been followed up on? whooami and
> otto42 and others were proactive and tried to get additional
> information and pursue the issue. Maybe, could you provide an timeline
> with people's actions describing how the issue could have been pursued
> more proactively?
>
> My feeling is there probably isn't many specific insights in this
> scenario, but you are correct there is great opportunity to contribute
> to WordPress' security profile.
>
> I imagine more interesting is analysing characteristics of individual
> and classes of WordPress security problems to see if there are more
> lurking, opportunity for programmatic protection, or training.
>
> Unfortunately, for me, I have little programming juice, and none in
> security.
>
> Aside, I find http://blogsecurity.net/ awkward participation, because
> I don't think I've ever seen a reference to a trac ticket number in
> any of the posts, or updates when issues are resolved.
>
>
> > My simple point was that if
> > more of "us" in the WP dev community looked more closely at this issue I
> > believe that the root cause would have been discovered. Of course,
> that's
> > easy to say in hindsight, but since there are a limited number of places
> in
> > the code where a post can be modified like this (outside of SQL
> injection,
> > etc.) we theoretically could have found this one if we had enough people
> > seriously looking for it, IMHO.
>
> That is no more or less true than any other exploit discovered or yet
> to be discovered. There is only a short list of goals of compromising
> a system.
>
>
> > Perhaps more of us can dedicate our time to this type of stuff instead
> of more
> > "user facing" / recognizable stuff like adding more features.
>
> I don't think there is any excess of people working on "user facing"
> stuff either unfortunately.
>
> Are there specific things that you are now working on related to this now?
>
> Thanks,
> Lloyd
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list