Secunia/NeoSecurity advisories are bogus. See http://tinyurl.com/ksx4s for debunking.
Thanks for the link. They’re NOT bogus. It’s irresponsible of you to make that claim.
I disagree with (Robert Deaton, at the link you posted) the writer’s perspective. Security issues, regardless of how “minor” one might interpret them, aggregate into serious problems.
For example, exposing directory contents and paths is not good because if I can easily learn what code (plugins, etc) you have installed then I am one step further along in whacking your system.
It’s trivial to guard against a server “misconfig” of error_reporting (include a check in the code to make sure files aren’t called directly unless they are meant to be).
It’s trivial to guard against browseable directories (include a blank index.php file). So why not just add the protection into the code? There’s no reason not to unless someone doesn’t appreciate security.
At the same time, when WP folks say they offer a “secure” platform then many people, me included, expect them to take even the most minor security issue seriously and do something about it. E.g. protect users against other admin’s choices; if code/files aren’t meant to be exposed then ensure it stays hidden unless the user intentionally exposes it.
For those who want to read about the issues (and see possible workarounds), see this link:
The notice was posted to the Bugtraq mailing list — one of the most authoritive groups of security-minded people on the Internet. Well respected people in the security community. I’d bet that there would not be one person there who would agree with your perspective.
<Checks to see if the sky is falling>
Over-zealous hype of alleged security holes does not help anyone. This has happened on previous occasions in the WP community, and I can assure you that when serious threats are identified, they are stopped by a very responsive coding community.
NuclearMoose: I think you misunderstand the group of people reporting problems. . . they are security people. Nitpicky, concerned. If you don’t follow security stuff regularly then it’s easy to downplay just about anything as trivial.
It’s good to start to get a clearer understanding of what application security means to you couple of people who responded……
I see that both you and “podz” guard against directory browsing to at least some extent (ahem) while at the same time shouting out that it’s no big deal!
NuclearMoose, you forgot to protect your plugins dir:
[ ] adhesive.php 20-Feb-2006 01:51 13k
[DIR] akismet/ 13-Feb-2006 19:46 –
[ ] brianslatestcomments..> 13-Feb-2006 19:46 5k
[ ] dofollow.php 13-Feb-2006 19:46 5k
[ ] favatars.php 13-Feb-2006 19:46 13k
[ ] geo.php 15-Feb-2006 20:32 21k
[ ] hello.php 13-Feb-2006 19:46 2k
[ ] jeromes-keywords.php 14-Feb-2006 01:46 25k
[ ] k2-rollingarchives.php 19-Feb-2006 12:24 4k
[ ] linkfootnotes.php 20-Feb-2006 00:31 2k
[ ] linkspage.php 15-Feb-2006 20:32 2k
[ ] options-contactform.php 13-Feb-2006 19:46 4k
[DIR] rollingarchives/ 19-Feb-2006 12:24 –
[ ] subscribe-to-comment..> 13-Feb-2006 19:46 35k
[DIR] wp-contact-form/ 13-Feb-2006 19:46 –
[ ] wp-db-backup.php 13-Feb-2006 19:46 30k
[ ] wpPaginate-v2.php 13-Feb-2006 19:46 6k
[ ] wp_ozh_adminmenu.php 13-Feb-2006 19:46 7k
NuclearMoose, you forgot to protect your plugins dir:
That about speaks for itself…
Thanks for posting that guy’s plugins folder. I was looking for some good plugins for my own site. I’m gonna check some of those out. 😉
Bad form, though. It’s really not necessary to go after individuals trying to help. We all get that you’re a super special security consious guy, but let’s keep this conversation civil.
Oh, also, the “hackers” list is the mailing list for people working on WordPress or WordPress plugins. Maybe that is a better place to take this discussion?
dgrijalva: Dunno what is a better place. Nothing in the docs I got when I downloaded the WP package said anything about where to post what. So I took the natural route: come to the support site.
FWIW: I’m not necessarily a “super special security conscious guy” — but I don’t want my systems cracked wide open either, nor the systems of any customers who might depend on my recommendations for software…
Bad form, you say? Well, if it’s not a big deal to allow directory browsing then what’s the harm?
it’s good to see a discussion about security. not to become paranoid or anything but individuals as well as hosting service providers need to keep track or at least be aware of any advisories. 🙂
i’m responsible for a few hundred WordPress sites and any alerts posted at Secunia or GulfTech always raises the red flag – at least for me.
I’m sure the WordPress devs (and countless code contributors) are working to enhance how the platform deals with error handling, among the many things they have to deal with.
I wonder if the WordPress project has ever hired/paid an independent security firm like Netcraft or GulfTech to audit WordPress, not necessarily to look a the code per se line by line, but run some unit tests and vulnerability scanning of some sort to address issues that have been overlooked (if any).
if you’re using Apache and/or your host allows .htaccess overrrides, you can try and disable directory listings in this manner:
ErrorDocument 401 “error
ErrorDocument 403 “error
If you run your own servers and can control PHP installs then take a look at the Hardened PHP Project:
Matt has already said that 2.0.2 is ready at any moment if anything serious comes up. The actual bugs are fixed in WordPress 2.0.2, and when the WordPress development team feels something important enough for the release of 2.0.2 comes up, they will release. Obviously these vulnerabilities carry little merit with the team, and for good reason.
Okay, so, you can see which plugins he has installed, or, instead you could make a list of all the plugins with security holes, and visit the URI and see if you get something other than a 404. Either way, any attacker can walk along and figure out which files are running. There is no cross-platform way to solve this problem, bundling .htaccess won’t help non-apache users, things like this should be left to the host, as it is not a script’s duty to manage the server it runs on.
These little security advisories have been showing up since the dawn of PHP. WordPress has seen this in Gentoo’s GLSA for years, and its no longer consider any reasonable threat, as there is no sane way for every script and plugin to silently fail without bloating code. Seeing that the only use that would come out of “full path disclosure vulnerabilities” is helping in further attacks, they are not a worry, as without another vulnerability involving the filesystem, this information poses an extremely low, if existant at all, risk.
You are just as bad as the foolish security researchers who report such things, striking up FUD in perfectly harmless scripts.
- The topic ‘WP 2.0.2 Update Coming?’ is closed to new replies.