[wp-hackers] CSRF vulnerability in WP HTML Sitemap 1.2 (WordPress plugin)

Chris Christoff hello at chriscct7.com
Fri Mar 28 17:03:18 UTC 2014


-- Please reply above this line --

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 1:02pm (AMT):

I think the point is when people signed up for this mailinglist they
didn't sign up for those notifications, which presumable entail
multiple emails per day (given 2 already today alone and security.dxw
seems to report 1 to 2 a day on average). While alot of people may
find the reports useful, they weren't the intended goal of this
mailinglist. That doesn't make them worthless, but rather means that
there should be a mailinglist where people can sign up for them only
if they want to receive them.
--
Chris Christoff
hello at chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:59pm (AMT):

I'm in for this list.

-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:58pm (AMT):

I'd recommend a separate mailing list as well.

 <johnbillion+wp at gmail.com>wrote:

 >
 > > Anyone else agree? Who'd join such a list?
 > >
 > > I'll keep a tally on that too.
 > >
 > > Though I am a bit surprised at the respondents here who
*don't* want to
 > > know about vulnerable plugins they may be running...
 >
 >
 > I think a separate mailing list would be a better idea than
posting to
 > wp-hackers, for the same reason there are separate mailing
lists and
 > separate IRC channels and separate development blogs for all
the various
 > aspects of WordPress.
 >
 > John
 > _______________________________________________
 > wp-hackers mailing list
 > wp-hackers at lists.automattic.com
 > http://lists.automattic.com/mailman/listinfo/wp-hackers
 >
 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:47pm (AMT):

A separate list with more obvious way of joining would benefit regular
 users - they can just fill-out a form and get updates. And when they
do get
 updates, they will be specifically targeted at security.

 I'm pretty happy with the mailing list of Wordfence - they have a
huge user
 base with all kinds of different setups that they can monitor and
find
 exploits.

 PS: I'm not saying that your reports are worthless - the idea is a
very
 good one and I'm happy that you are donating some of your time
towards the
 community.

 <johnbillion+wp at gmail.com>wrote:

 >
 > > Anyone else agree? Who'd join such a list?
 > >
 > > I'll keep a tally on that too.
 > >
 > > Though I am a bit surprised at the respondents here who
*don't* want to
 > > know about vulnerable plugins they may be running...
 >
 >
 > I think a separate mailing list would be a better idea than
posting to
 > wp-hackers, for the same reason there are separate mailing
lists and
 > separate IRC channels and separate development blogs for all
the various
 > aspects of WordPress.
 >
 > John
 > _______________________________________________
 > wp-hackers mailing list
 > wp-hackers at lists.automattic.com
 > http://lists.automattic.com/mailman/listinfo/wp-hackers
 >
 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------
## Chris replied, on Mar 28 @ 12:45pm (AMT):

I agree. Make a seperate mailing list so those interested can optin.
Not force existing maillist subscribers to have to setup GMail filters
to delete these posts.
--
Chris Christoff
hello at chriscct7.com
http://www.chriscct7.com [1]
@chriscct7
If you feel the need to donate, as a college student, I appreciate
donations of any amount. The easiest way to donate to my college fund
is via the donation button at the bottom of my
homepage: http://chriscct7.com/ [2]

Links:
------
[1] http://www.chriscct7.com
[2] http://chriscct7.com/


-----------------------------------------------------------
## wp-hackers at lists.automattic.com replied, on Mar 28 @ 12:43pm (AMT):

<johnbillion+wp at gmail.com>wrote:

 >
 > > Anyone else agree? Who'd join such a list?
 > >
 > > I'll keep a tally on that too.
 > >
 > > Though I am a bit surprised at the respondents here who
*don't* want to
 > > know about vulnerable plugins they may be running...
 >
 >
 > I think a separate mailing list would be a better idea than
posting to
 > wp-hackers, for the same reason there are separate mailing
lists and
 > separate IRC channels and separate development blogs for all
the various
 > aspects of WordPress.
 >
 > John
 >

 I concur!

 I would certainly be open to joining that, and agree it should be
separate
 from wp-hackers.

 Dre Armeda
 _______________________________________________
 wp-hackers mailing list
 wp-hackers at lists.automattic.com
 http://lists.automattic.com/mailman/listinfo/wp-hackers

-----------------------------------------------------------



More information about the wp-hackers mailing list