WordPress.org

Ready to get started?Download WordPress

Forums

WP 2.0.2 Update Coming? (56 posts)

  1. Dougal Campbell
    Member
    Posted 8 years ago #

    There is already a 2.0.2 in the works. You can track it in SVN under '/branches/2.0'. I know that the comment form XSS bug is already taken care of, and I'm sure that the other issues mentioned will be taken into consideration.

    That said... The XSS bug is hard to exploit, because you pretty much have to target a particular individual.

    Directory listings are the result of server settings that go beyond WordPress. Yes, we can get rid of it by adding an empty index.php file, but it's misleading to call this a bug in WP.

    Disallowing direct access to some of the files may be a good idea, as noted.

  2. nimrod
    Member
    Posted 8 years ago #

    by marke1:
    Overall, I'd say the security issues posted ... are not, in and of themselves, a problem. BUT, they could be used in some sort of combined attack at a later date.

    exactly. esp when playing around with xss in comments.

  3. masquerade
    Member
    Posted 8 years ago #

    For (hopefully the last) time, there is no XSS vulnerability, the only person's machine that you can run code on is your own. The vulnerability is bogus, its simply a bug in cookie input validation that could allow someone to execute javascript on their own machine.

  4. petit
    Member
    Posted 8 years ago #

    I'm happy to see that this rather entertaining thread wasn't closed. The question on the hackers list was not if it should be deleted, but closed.

    On the matter, which really should be on that list, I'll give my support to the statement, that allowing directory listing or not, is a matter of configuring the web server.

    It should be taken care of by the service provider or server owner. On my host it is disallowed by default. On hosts with the opposite policy, the user could disallow directory browsing in a .htaccess file in his/her document root.

  5. Stahn
    Member
    Posted 8 years ago #

    Just make a damn zip file and a update.php and we will be happy. What's so hard about that? Now the XSS is widely known.

  6. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Posted to the Hackers list.
    Seen by people who know the WordPress code inside out.
    Seen by people who if there was the slightest thing wrong would jump on it.

    "What needs clarification is that there is no XSS, nobody can remotely take down your blog or change your pages, potentially steal your login information with malicious javascript, etc."

    If there WAS any threat to a WordPress blog from someone who had nothing to do with that blog, then something would have been said and done by now. There are enough critics of WordPress that we would have more noise about this than we do have.

  7. whooami
    Member
    Posted 8 years ago #

    I have to agree with one thing .. path disclosure IS a serious issue. Ive submitted it to Mosquito before ...
    Whether you call it a server misconfiguration OR an application issue, its still something that needs adressing.

    phpBB adresses it.
    vbulletin adresses it.
    b2evolution adresses it.

    ---
    follow this:

    Matt: Lets make it so people have this nifty convenience feature that lets them edit files in the backend. It will be good for the people that cant find an ftp client (huh??) or are just too lazy to download. Its ok that the files to be edited need to be chmod 777.

    The above is done to make things easier on newbs, I presume. As someone that knows better, aka a NON-newb would never fall for leaving files as world-writable.

    Next breath ...

    Matt: Lets rely on the user to manage php error reporting and any potential path disclosures.

    The above suggests that Matt thinks the afore-mentioned newb actually knows how to handle such things.

    ---

    In other words, in one breath you dumb it down, and as a result, have security issues, and in the next, you dont dumb it down and have security issues.

    At the very least, some consistency would be nice. I have to wonder sometimes who this application is actually being coded for.

  8. marke1
    Member
    Posted 8 years ago #

    podz wrote:

    There are enough critics of WordPress that we would have more noise about this than we do have.

    Criticism can be a very good thing. Without it, ideas aren't nearly as bountiful.

    At the same time, taking offense to criticism is wasted energy. Pointing out FACTS -- e.g. Truth -- is enough, otherwise one is dragged into the melee. Sometimes it's best to address malicious critics indirectly, so as to avoid giving them your energy.

    Waxing philosophic there, I know.

  9. Mark (podz)
    Support Maven
    Posted 8 years ago #

    marke1 - and if you'd read enough posts around here and on lists you'd know that I do criticise.

    I agree with your point, but I'm not a Yes-man :)

  10. moshu
    Member
    Posted 8 years ago #

    whooami:
    I have to wonder sometimes who this application is actually being coded for.

    That makes (at lest) two of us. Although I didn't need this thread for it.

  11. marke1
    Member
    Posted 8 years ago #

    podz:

    marke1 - and if you'd read enough posts around here and on lists you'd know that I do criticise.

    If I only had time to do everything that I'd like to do. But alas, other things take precendence. So I can only participate here now and then. I've been to this forum countless times, and I am a huge fan of WP. Excellent code.

    And hey, bbPress is good too. I use it.

  12. masquerade
    Member
    Posted 8 years ago #

    I have to agree with one thing .. path disclosure IS a serious issue. Ive submitted it to Mosquito before ...
    Whether you call it a server misconfiguration OR an application issue, its still something that needs adressing.

    phpBB adresses it.
    vbulletin adresses it.
    b2evolution adresses it.

    If ten projects bloat code by adding four lines to each file to protect against path disclosure, should we follow just because they do it? Just because another software does it doesn't mean its a good idea or even necessary (especially when one of your references is phpBB, of all things to reference. phpBB just needs this because their record of security vulnerabilities which this could assist is huge.)

    The idea here is to promote the use of webhosts with some bit of sanity. Nobody said for the average user to know how to change settings, but hosts should, and they should be responsible. There comes a limit to what a PHP script should have to do to work around the problems with webhosts, and path disclosure is one of those limits.

  13. marke1
    Member
    Posted 8 years ago #

    masquerade:

    The idea here is to promote the use of webhosts with some bit of sanity. Nobody said for the average user to know how to change settings, but hosts should, and they should be responsible.

    This is one crux of the matter of development. Should developers try to protect users from both themselves and lax admins, or not? Opinions differ. Regardless, the more popular an application becomes the more often people will look for holes in it.

    For example, OS X has enjoyed obscurity in the sense that intruders haven't poked around with it too much -- until lately. It's the same old thing we see everywhere in life: Tell somebody they can't and they will sure as hell try!

    So having what appears to be an "admin-only XSS" issue will raise awareness among intruders to look to see if they can find something that the original discoverer missed. It's a game to many of those people.

    Best thing to do is sanitize all input so it's not possible against any user account. As for directory browsing, again that's real easy to protect against (in case the user or admin doesn't): include a blank index.php file in every directory that doesn't have useful one already. Then this issue will never come up again.

  14. whooami
    Member
    Posted 8 years ago #

    "If ten projects bloat code by adding four lines to each file to protect against path disclosure, should we follow just because they do it?"

    Give me a fucking break. Four lines of code is bloat? I think not.
    ...

    "The idea here is to promote the use of webhosts with some bit of sanity."

    It is? So you mean to suggest that because of "principal" an application developer shouldn't do SIMPLE things to make their apps more secure? That's one the most ridiculous excuses I think I have heard here.

    You're a riot. It's nice to know that everyone here has the end-user in mind. Not.

    God forbid other developers are so high and mighty. Are you by chance looking for work at Microsoft, you would undoubtedly fit in.

  15. vkaryl
    Member
    Posted 8 years ago #

    marke1 -

    I quote: So having what appears to be an "admin-only XSS" issue will raise awareness among intruders to look to see if they can find something that the original discoverer missed. It's a game to many of those people.

    Now just who was it brought this whole thing out to the generalized script-kiddie surfing public?

    Hmmm.

  16. petit
    Member
    Posted 8 years ago #

    Still happy this thread isn't closed ;)

  17. whooami
    Member
    Posted 8 years ago #

    I thought it might be educational to test the following statement,

    "The idea here is to promote the use of webhosts with some bit of sanity."

    Why not take a look at the "sanity" of some the hosts that are advertised on wordpress.org??? And of course, lets make sure that these are "average user" blogs, NOT the box owner's blog, or a site that would be considered "high-profile" like boing-boing.

    First, I decided to locate a blog hosted on yahoo, wordpresses latest preferred host, and see what kind of sanity THEY offer.

    The first blog I located was http://blog.alanguilan.com .. there is a little hosted by yahoo image on the lower right, and a traceroute confirms it's hosted on yahoo.

    A simple directory listing could be done:
    http://blog.alanguilan.com/wp-includes/

    Were php errors supressed? yes.

    The second host was bluehost, the blog is http://www.sugaredharpy.com (again verified using traceroute)

    Not surprisingly, a full path disclosure was possible:

    http://www.sugaredharpy.com/wp-settings.php

    as well as a directory listing:

    http://www.sugaredharpy.com/wp-includes/

    Next in line is dreamhost and the chosen blog is http://www.squarefree.com (traceroute verified)

    A directory listing was available:

    http://www.squarefree.com/wp-includes/

    as was a full path diclosure:

    http://www.squarefree.com/wp-admin/edit-form-advanced.php

    I was not able to locate a "regular user" blog on laughing squid, nor was I able to locate one on anhosting.

    But i think my point is made.

    So much for promoting webhosts with "sanity". Any more "full of crap" excuses you would like to toss out, masquerade???

    Apologies to those blogs that I poked around in.

  18. masquerade
    Member
    Posted 8 years ago #

    Give me a fucking break. Four lines of code is bloat? I think not.

    4 * 357 is.

    You also mistake me for having anything to do with what hosts are listed on the page on WordPress.org, or my views even being remotely close to what any of the devs may think. I'm simply stating my thoughts on why things should remain as they do, and personally if I had my choice, the list of hosts on the Hosting page would not be what they are today (Dreamhost and Bluehost particularly, they've gone to hell over the years, and anywhere with a WP auto-install is pretty low on the list of hosts that should be recommended, as guess what permissions files are left laying around as?), but then again, money speaks, doesn't it?

    Besides, how will hosts ever know that they aren't configured correctly until someone says "Well shit, because you guys didn't follow the recommended standards for a PHP host and left error reporting on, my site was hacked, and your server rooted." It takes learning by hard example to get people to comply, and if that's so, its fine with me, there's little other way.

  19. I don't get the big deal about full path disclosure. I mean, chances are after a few tries, I could probably guess the path for 50-75% of the sites out there as it's usually a pretty standard path for sites.

  20. whooami
    Member
    Posted 8 years ago #

    its not the path, per say, viper, its the username. Thats 1/2 of whats neccessary to access just about everything related to any webhosting account. And its 1/2 more than need be available to anyone that might have malicious intentions.

    As for you, masquerade, I think youve already been put in your place. I expect you wont be approving my pingback to your recent reply on your blog. No loss.

  21. weeklytips
    Member
    Posted 8 years ago #

    Delete this

  22. marke1
    Member
    Posted 8 years ago #

    vkaryl:

    Now just who was it brought this whole thing out to the generalized script-kiddie surfing public?

    Looks to me like it was Neo Security Team. They posted it to the oldest and most popular security mailing list on the planet. . . I thought that was already made glaringly obvious.

    What's your point?

  23. Chris_K
    Member
    Posted 8 years ago #

    a) I know who weeklytips is. Whee. Quick editing though -- nice save.

    b) *marke1 - I suspect Vkaryl was delicating suggesting that you brewed this teapot's current tempest by bringing the excitement here to, largely, a crowd of folks who don't follow security mail lists. Thus perphaps putting "bad thoughts" into some impressionable minds.

  24. marke1
    Member
    Posted 8 years ago #

    HandySolo:

    b) I suspect Vkaryl was delicating suggesting that you brewed this teapot's current tempest by bringing the excitement here to, largely, a crowd of folks who don't follow security mail lists. Thus perphaps putting "bad thoughts" into some impressionable minds.

    I've been a member of Bugtraq security mailing list (where NST posted their findings) for so long that I honestly forgot when I joined. One thing I've seen in all that time is that once something is posted there it's nearly instantly known by the entire black hat (bad guys) community. Therefore, I don't see any harm in asking about it here in a somewhat constrained manner. In fact, if you notice, I didn't post any direct info or any links in my initial post. That was entirely intentional. After another forum member linked to the rebuttal info then the cat was out of the bag in so far as readers of this forum go.

  25. whooami
    Member
    Posted 8 years ago #

    a) I know who weeklytips is. Whee. Quick editing though -- nice save.

    as do I, and it was a sloppy save. he was too busy pulling half-baked answers out of his ass to remember who he was logged in as apparantly.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags