WordPress.org

Ready to get started?Download WordPress

Forums

Security Advisory (4 posts)

  1. SaschaGoebel
    Member
    Posted 8 years ago #

    Hi Folks,

    what happened to the Security Advisory from the Neo Security Team?

    I hoped the required fixes would be included in the 2.0.2 release. Or are these the snake-oil reports that went out on some security lists a few days ago. I for myself can say that the XSS vulnerability is for real.

    Anyway, I patched my updated 2.0.2 installation and could provide patching instructions, patched files, or a patch file (whew ... too much patchwork in this sentence ;-))

    You can find some more information in my (WordPress powered ;-)) Blog: WordPress 2.0.2 Security Release

    Hope to hear from you soon,
    Sascha

  2. And who exactly are the "Neo Security Team"? Are they a known and respected source?

    If you read through their "advisory", it admits this:

    "[I ]- This comment must be posted by the admin"

    Yup. The alleged flaw can only be triggered if you do it to your own site.

  3. SaschaGoebel
    Member
    Posted 8 years ago #

    Hi,

    I neither have the time nor the patience to explain the idea of open source software here, but if someone, trusted or not, came to me and told me there's a security hole in my software, I'd hurry to fix it instead of saying "Hey, that's not serious, I don't want to fix it."

    I'm pretty sure there are sites out there which have registered users they don't completely trust and exactly these sites are vulnerable to the exploit.

    And on the other hand, it won't hurt to add the changes to the WordPress sources, right? There's nothing to loose, but a lot of trust from the userbase to win.

    Greetz,
    Sascha

  4. There is no need to explain anything...

    But if you want to draw your concerns to the attention of the developers, the best place to do that is the wp-hackers email list. Details, archives, etc here:

    http://lists.automattic.com/mailman/listinfo/wp-hackers

Topic Closed

This topic has been closed to new replies.

About this Topic