WordPress.org

Ready to get started?Download WordPress

Forums

Security of WordPress (17 posts)

  1. fadil
    Member
    Posted 8 years ago #

    Dear WordPress Developers,
    I really liked wordpress for its features and the reputation it maked in the world of the internet.

    I came to know that there is a security bug in WP 1.5. Any person has WP installed in his own server can use his session ids created in another websites and pass to the admin panel. It think, this security hole should be top priority.

    Thanks,
    Fadil

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    As you did not search at all, I'll help you out:

    Send ANY concerns to security@wordpress.org

    And "I came to know" .... pretty vague eh ?

  3. notthatugly
    Member
    Posted 8 years ago #

    Oh, and thank you.

  4. DianeV
    Member
    Posted 8 years ago #

    Ah, you're talking about the admin panel. I always password protect the wp-admin directory. That way, the password must be input before you get to the WP login page.

  5. Root
    Member
    Posted 8 years ago #

    Oh you do huh ? Well that is quite a nifty work around. There is obviously a need for it otherwise you wouldnt do it. And many users may not know what is is, why its needed or how to do it. And we should treat fadil with a little more courtesy. English may not be his first language.

  6. DianeV
    Member
    Posted 8 years ago #

    Are you speaking to me, Root? If so, I didn't mean to be discourteous; I think a viewing of my posts here will show that I've never been discourteous in the WP forums and certainly didn't intend to be here.

    I was just posting a general security measure I take on *all* sites of whatever kind with an admin panel login. It's not a bad idea, and is pretty old school.

  7. ceo
    Member
    Posted 8 years ago #

    I actually just played around with this (since I have two domains on different servers), and it does seem to be true - given that the login name is the same. Doesn't seem to be an issue if they aren't, though this was just casual testing on my part.

  8. angsuman
    Member
    Posted 8 years ago #

    @Fadil

    Care to elaborate?

    I think 1.5.1 is supposed to fix it, with the hush-hush and all :)
    Not to mention it brought in some headache's too.

    Frankly I find this a bit disconcerting to be so secretive about this issue. As any security expert knows, security by obscurity never works. It harms more than it does good in the long run.

    If WordPress & Matt (synomymous?) was more open to this issue I would have felt much more comfortable.

  9. Jinsan
    Member
    Posted 8 years ago #

    angusman, though I agree in part - are you saying it would have been better to make the hole well known to the general public before the fix was released? Isn't that open to abuse by idiots such as those who due to some inexplicable reason decided to screw up Root's site out of curiosity.

    the way the fix was presented I probably wouldn't agree with, but I think they carried out the correct steps to protect their users.

  10. Root
    Member
    Posted 8 years ago #

    Well we must not assume that the fix was anything to do with my fiasco :)

  11. Jinsan
    Member
    Posted 8 years ago #

    I know, I wasn't implying it was but it rang true. I was just stating, to quote those Virgin ads, "the devil makes work for idle hands" and therefore anyone who had the same curious desire to break your site just to see if they could do it before everyone patched up would likely find a site to try it out on and then apologise profusely after being told they could be charged on account of "hacking".

    But, I suppose you could argue that releasing a patch and stating the vulnerability so that users can make an informed decision would be a wiser move than not stating anything at all. In that, and I think that's perhaps what Angusman means, would be a good, proactive approach.

    You need this patch because it will fix this which can cause this sort of trouble. It's all a learning experience and I'm sure comments will be taken on board.

  12. angsuman
    Member
    Posted 8 years ago #

    @Jinsan
    > are you saying it would have been better to make the hole well known to the general public before the fix was released?

    No, of course not!

    All I am saying is that a patch fixing only the security defect should be made available to the end users. End users shouldn't be forced to install a full upgrade with 170 fixes, just so he can have the security vulnerability patched. That is not right. 1.5 works for me just as I want it.

    I do not need an upgrade which several people are having trouble with. However I just need a patch to fix a security hole. And I am not alone.

    I emailed to Matt couple of days ago, requesting a patch. He hasn't replied yet.

    Nobody is asking to reveal the gory details of the vulnerability. However simple categorizing terms (yet vague enough to deter would be hackers) like "cross-site scripting vulnerability" would be helpful and appreciated, rather than a cryptic email just stating there was a vulnerability and it has been fixed.

  13. angsuman
    Member
    Posted 8 years ago #

    Even the secunia report was vague to the point of being meaningless.

    BTW: I going through WP codebase I noticed some potential architecture issues. Is there an architecture document? Who can I talk to wrt. WP architecture?

  14. James
    Happiness Engineer
    Posted 8 years ago #

    Is there an architecture document? Who can I talk to wrt. WP architecture?

    I would handle it just like submitting a bug report. That's probably the best way to go because it gives the best exposure to the developers.

    http://codex.wordpress.org/Submitting_Bugs

  15. Jinsan
    Member
    Posted 8 years ago #

    angus you can try shellyp's site:

    http://wordpress.org/support/topic/33248

  16. NuclearMoose
    Member
    Posted 8 years ago #

    I emailed to Matt couple of days ago, requesting a patch. He hasn't replied yet.

    I'm sure that your email was one of hundreds Matt gets each and every day. Pity that between his job, working on bbPress, WordPress, his own site, and having a real life he's not at our beck and call to answer emails within an hour of us sending them.

  17. angsuman
    Member
    Posted 8 years ago #

    @Jinsan Thanks. I did get a reply from Shelly about the patch.

    @NuclearMoose I didn't exactly expect within an hour. I posted about my email only after couple of days.
    So what's his schedule (for answering emails from mere mortals like me) like? A week, month or > /dev/null :)

    Anyway looking at the responses (read none) to my actual question ( and knowing how prompt Wp community is answering questions when an answer exists) on architecture document, I am surmising that there is none. Correct me otherwise.

    I don't know if I should be filing a request for architecture document as a bug request, doesn't look right :|

Topic Closed

This topic has been closed to new replies.

About this Topic