Security Advisory

  • SaschaGoebel

    (@saschagoebel)


    18 years, 1 month ago

    Hi Folks,

    what happened to the Security Advisory from the Neo Security Team?

    I hoped the required fixes would be included in the 2.0.2 release. Or are these the snake-oil reports that went out on some security lists a few days ago. I for myself can say that the XSS vulnerability is for real.

    Anyway, I patched my updated 2.0.2 installation and could provide patching instructions, patched files, or a patch file (whew … too much patchwork in this sentence ;-))

    You can find some more information in my (WordPress powered ;-)) Blog: WordPress 2.0.2 Security Release

    Hope to hear from you soon,
    Sascha

Viewing 3 replies - 1 through 3 (of 3 total)
  • Les Bessant

    (@lesbessant)

    18 years, 1 month ago

    And who exactly are the “Neo Security Team”? Are they a known and respected source?

    If you read through their “advisory”, it admits this:

    “[I ]- This comment must be posted by the admin”

    Yup. The alleged flaw can only be triggered if you do it to your own site.

    Thread Starter SaschaGoebel

    (@saschagoebel)

    18 years, 1 month ago

    Hi,

    I neither have the time nor the patience to explain the idea of open source software here, but if someone, trusted or not, came to me and told me there’s a security hole in my software, I’d hurry to fix it instead of saying “Hey, that’s not serious, I don’t want to fix it.”

    I’m pretty sure there are sites out there which have registered users they don’t completely trust and exactly these sites are vulnerable to the exploit.

    And on the other hand, it won’t hurt to add the changes to the WordPress sources, right? There’s nothing to loose, but a lot of trust from the userbase to win.

    Greetz,
    Sascha

    Les Bessant

    (@lesbessant)

    18 years, 1 month ago

    There is no need to explain anything…

    But if you want to draw your concerns to the attention of the developers, the best place to do that is the wp-hackers email list. Details, archives, etc here:

    http://lists.automattic.com/mailman/listinfo/wp-hackers

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security Advisory’ is closed to new replies.

Tags