WordPress.org

Ready to get started?Download WordPress

Forums

Multiple CSRF Vulnerabilities does it effect 3.3.2? (10 posts)

  1. tommix
    Member
    Posted 2 years ago #

    I found these exploits [removed] but in 3.3.2 change log i did not noticed any addressing about these exploits, do they real, do WP team know about them? and how da hell wp seems to be the easiests to hack script with so much users and developers...

    Or this: [removed]

  2. WP is not the 'easiest to hack' by far. It's a factor of being popular, more people attack you. See what happens to Microsoft all the time ;)

    Anyway, if you think there's an exploit, you should read http://codex.wordpress.org/FAQ_Security and follow the direction there. You should never PUBLICLY release potential security issues.

  3. tommix
    Member
    Posted 2 years ago #

    I'm talking about WP security but you telling me to read somewhere something.. I won't. how reading crap will protect current and newest releases of WP? Many of topics regarding security is stupid and uselless..
    Protects from nothing.

    Here i showed validated exploit, and what WP mod does? teach people to do not talk about WP security holes? :D that's the stupidest thing i heard. We must talk so devs can fix them. if nobody will talk hakers will hack sites cause nobody knows about holes.

  4. ClaytonJames
    Member
    Posted 2 years ago #

    I'm talking about WP security but you telling me to read somewhere something.. I won't. how reading crap will protect current and newest releases of WP?...

    ....Here i showed validated exploit, and what WP mod does? teach people to do not talk about WP security holes? :D that's the stupidest thing i heard.

    You are wrong. Just plain wrong. I can't describe how angry everyone who uses WordPress should be at you for your attitude, but I'm really hoping that you just misunderstand due to a language barrier. :D

    That is a link that tells you how and where to report a suspected vulnerability (security issue), without first waving a red flag and screaming like a child to the entire internet.

    We must talk so devs can fix them. if nobody will talk hakers will hack sites cause nobody knows about holes.

    Agreed, but YOU become the irresponsible one if you actually find a vulnerability, and put everyone elses site in danger by shouting it out loud before reporting it correctly.

  5. What I did was link you to how good community members help the community.

    But since that's tl;dr for you, here's the short answer: For actual security issues with the self-hosted version of WordPress, then you should send an email with the details to security [at] wordpress.org. Include as much detail as you can.

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 2 years ago #

    Neither of those "vulnerabilities" is valid or realistically exploitable on a real site.

    The WP team is aware of issues like these, and addresses them all the time, but be aware that random things you find on exploit-db are usually not valid nor realistic. Anybody can post things to exploit-db, and anybody can make up those "security" reports. Virtually none of them actually work, and people who hack sites don't use those methods.

  7. tommix
    Member
    Posted 2 years ago #

    Not threatening but moderator removed links... it is me or it's illogical?

    I closely looked at exploit and understood that to be able to do it you need to have ether posting rights or somehow get valid wpnonse so it's actually not seems to be realistic..unless you self give haker such privileges.

    OK thanks both for answers.

  8. They were removed before I had the chance to look into them in depth.

    First act of someone 'publishing' a possible security risk on the forums is to yank it and mail it to security AT (which I did). On the off chance they were legit, publicizing a security hole before the WP dev team has a chance to push a fix makes things worse. We don't do this out of a desire for secrecy any more than Microsoft does.

    Industry standard: Tell the company directly. Give them appropriate time to fix the problem (or reply to you). Then start thinking if you should go public. Think about if you're causing more harm than good, and be cognizant of the big picture.

  9. tommix
    Member
    Posted 2 years ago #

    Sorry but WP devs can go to that website 24/7 if they interested in such things, so no need to tell that they did not had a chance to know about them. :)

    Anyway, all is ok, thanks. I just was thinking that i'm helping posting here possible hole so maybe that will be some useful info so devs can make patch. (i did not knew about mentioned security email).

  10. Sorry but WP devs can go to that website 24/7 if they interested in such things, so no need to tell that they did not had a chance to know about them. :)

    I wish that was the case, but it's not. If we assume everyone always does the right, best, thing... well, you wouldn't need moderators here, that's for sure! Cover your bases, be helpful, etc etc :)

    You were helpful, but next time please email instead of public post :) That's all. Not a huge deal. You didn't know, now you do. It's how we learn.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.