WordPress.org

Support

Support » Requests and Feedback » Security of WordPress

Security of WordPress

  • Dear WordPress Developers,
    I really liked wordpress for its features and the reputation it maked in the world of the internet.

    I came to know that there is a security bug in WP 1.5. Any person has WP installed in his own server can use his session ids created in another websites and pass to the admin panel. It think, this security hole should be top priority.

    Thanks,
    Fadil

Viewing 15 replies - 1 through 15 (of 16 total)
  • Mark (podz)

    @podz

    Support Maven

    As you did not search at all, I’ll help you out:

    Send ANY concerns to security@wordpress.org

    And “I came to know” …. pretty vague eh ?

    Oh, and thank you.

    Ah, you’re talking about the admin panel. I always password protect the wp-admin directory. That way, the password must be input before you get to the WP login page.

    Oh you do huh ? Well that is quite a nifty work around. There is obviously a need for it otherwise you wouldnt do it. And many users may not know what is is, why its needed or how to do it. And we should treat fadil with a little more courtesy. English may not be his first language.

    Are you speaking to me, Root? If so, I didn’t mean to be discourteous; I think a viewing of my posts here will show that I’ve never been discourteous in the WP forums and certainly didn’t intend to be here.

    I was just posting a general security measure I take on *all* sites of whatever kind with an admin panel login. It’s not a bad idea, and is pretty old school.

    I actually just played around with this (since I have two domains on different servers), and it does seem to be true – given that the login name is the same. Doesn’t seem to be an issue if they aren’t, though this was just casual testing on my part.

    @fadil

    Care to elaborate?

    I think 1.5.1 is supposed to fix it, with the hush-hush and all 🙂
    Not to mention it brought in some headache’s too.

    Frankly I find this a bit disconcerting to be so secretive about this issue. As any security expert knows, security by obscurity never works. It harms more than it does good in the long run.

    If WordPress & Matt (synomymous?) was more open to this issue I would have felt much more comfortable.

    angusman, though I agree in part – are you saying it would have been better to make the hole well known to the general public before the fix was released? Isn’t that open to abuse by idiots such as those who due to some inexplicable reason decided to screw up Root’s site out of curiosity.

    the way the fix was presented I probably wouldn’t agree with, but I think they carried out the correct steps to protect their users.

    Well we must not assume that the fix was anything to do with my fiasco 🙂

    I know, I wasn’t implying it was but it rang true. I was just stating, to quote those Virgin ads, “the devil makes work for idle hands” and therefore anyone who had the same curious desire to break your site just to see if they could do it before everyone patched up would likely find a site to try it out on and then apologise profusely after being told they could be charged on account of “hacking”.

    But, I suppose you could argue that releasing a patch and stating the vulnerability so that users can make an informed decision would be a wiser move than not stating anything at all. In that, and I think that’s perhaps what Angusman means, would be a good, proactive approach.

    You need this patch because it will fix this which can cause this sort of trouble. It’s all a learning experience and I’m sure comments will be taken on board.

    @jinsan
    > are you saying it would have been better to make the hole well known to the general public before the fix was released?

    No, of course not!

    All I am saying is that a patch fixing only the security defect should be made available to the end users. End users shouldn’t be forced to install a full upgrade with 170 fixes, just so he can have the security vulnerability patched. That is not right. 1.5 works for me just as I want it.

    I do not need an upgrade which several people are having trouble with. However I just need a patch to fix a security hole. And I am not alone.

    I emailed to Matt couple of days ago, requesting a patch. He hasn’t replied yet.

    Nobody is asking to reveal the gory details of the vulnerability. However simple categorizing terms (yet vague enough to deter would be hackers) like “cross-site scripting vulnerability” would be helpful and appreciated, rather than a cryptic email just stating there was a vulnerability and it has been fixed.

    Even the secunia report was vague to the point of being meaningless.

    BTW: I going through WP codebase I noticed some potential architecture issues. Is there an architecture document? Who can I talk to wrt. WP architecture?

    Moderator James Huff

    @macmanx

    Is there an architecture document? Who can I talk to wrt. WP architecture?

    I would handle it just like submitting a bug report. That’s probably the best way to go because it gives the best exposure to the developers.

    http://codex.wordpress.org/Submitting_Bugs

    angus you can try shellyp’s site:

    http://wordpress.org/support/topic/33248

    I emailed to Matt couple of days ago, requesting a patch. He hasn’t replied yet.

    I’m sure that your email was one of hundreds Matt gets each and every day. Pity that between his job, working on bbPress, WordPress, his own site, and having a real life he’s not at our beck and call to answer emails within an hour of us sending them.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Security of WordPress’ is closed to new replies.