[wp-hackers] xmlrpc issue or no?

Jared Bangs jared at pacific22.com
Sun Feb 3 07:10:24 GMT 2008

On Feb 2, 2008 6:31 PM, Lloyd Budd <lloydomattic at gmail.com> wrote:

> On Feb 2, 2008 5:39 PM, Jared Bangs <jared at pacific22.com> wrote (and I
> trimmed):
> >
> > I wasn't saying we overlooked any evidence, just that we didn't follow
> up on
> > it as well as we could have.
> The perception that WordPress has a poor security record is an issue
> close to my heart.

I didn't mention anything about that, outside of the context of this
particular issue. I didn't mean to imply that anyone on this list (including
you) don't care about security problems (only encouraging that we could all
do better); sorry if it came across that way.

> I'm not not certian what should have been followed up on? whooami and
> otto42 and others were proactive and tried to get additional
> information and pursue the issue. Maybe, could you provide an timeline
> with people's actions describing how the issue could have been pursued
> more proactively?

I'm really not interested in making this an argument at all, so I'd rather
not do a full on reconstruction of the events here. You may disagree with my
view on this, and I certainly respect your opinion.

To keep it as short as possible: the original report may have been lacking
technical details (which is understandable for most users). Lots of people
responded, asking good questions to try to get to the heart of the matter.
Lots more people chimed in stating that they had been hit as well.

"rawalex" posted one month ago pointing directly to xml-rpc as the cause of
the problem. Between that point and now is primarily where I feel that we
could have found this, if enough people were concerned.

I believe that the fact that we didn't until an exploit was finally
published (even though it has apparently been in "private" use for months)
may send a message to some that disclosure is what it takes to get moving on
this type of issue.

> My feeling is there probably isn't many specific insights in this
> scenario, but you are correct there is great opportunity to contribute
> to WordPress' security profile.
> I imagine more interesting is analysing characteristics of individual
> and classes of WordPress security problems to see if there are more
> lurking, opportunity for programmatic protection, or training.

I couldn't agree more. This is what I was alluding to earlier in my closing
remark about new features usually taking a much more prominent focus.

> Unfortunately, for me, I have little programming juice, and none in
> security.

<LightHeartedJoke>Maybe with the latest round of funding, Automattic can
invest in a couple full time security oriented "hackers" to hammer on it and
try to flush this stuff out.</LightHeartedJoke>

Aside, I find http://blogsecurity.net/ awkward participation, because
> I don't think I've ever seen a reference to a trac ticket number in
> any of the posts, or updates when issues are resolved.
> > My simple point was that if
> > more of "us" in the WP dev community looked more closely at this issue I
> > believe that the root cause would have been discovered. Of course,
> that's
> > easy to say in hindsight, but since there are a limited number of places
> in
> > the code where a post can be modified like this (outside of SQL
> injection,
> > etc.) we theoretically could have found this one if we had enough people
> > seriously looking for it, IMHO.
> That is no more or less true than any other exploit discovered or yet
> to be discovered. There is only a short list of goals of compromising
> a system.
This is where I disagree. I think we had enough info in this case (see my
comment above about rawlex's post from a month ago) to make this different
than just a random 0-day security breach that we couldn't be expected to
prepare for.

> > Perhaps more of us can dedicate our time to this type of stuff instead
> of more
> > "user facing" / recognizable stuff like adding more features.
> I don't think there is any excess of people working on "user facing"
> stuff either unfortunately.

Perhaps, but even as a topic of conversation (on this list) it doesn't seem
to come up much, outside of the context of addressing a specific known
vulnerability. I suppose it's like that with most open source projects,
though, and I certainly don't have an answer for how to change that.

> Are there specific things that you are now working on related to this now?

As time permits, but unfortunately it usually doesn't. Perhaps in the eyes
of some, that disqualifies my statements here, and I recognize that. That's
why I was sure to include myself in the list of people who could have done
more on this issue and didn't.

But since you asked, the last thing I did regarding security was submitting
a patch to WPMU ticket #528, which ported over Ryan's password salting and
cookie authentication fixes from the standard WP trunk. It didn't get
commited, and the ticket was closed with an indication that it would wait
until the 2.5 sync. I'll also note that I didn't come back and whine about
it (here or elsewhere) or get into a close/reopen battle on Trac.

I do really believe that those security related changes were important
(arguably moreso with MU since there are likely to be more registered users
per install), but if the commiters and/or enough users disagree, I'm not
going to spend any time arguing about it. I barely had the free time to
write it, and definitely don't have the excess time to debate and campaign
for it.

Lastly, I got the feeling that you (perhaps on behalf of the project as a
whole) were feeling attacked or criticized. Let me clarify again that that
was not the intent of my comments. My only hope is to motivate others here
in the community to do more than we have been regarding security, especially
in cases where there are multiple reports of active exploits with strong
hints as to the source of the problem.

More information about the wp-hackers mailing list