Support » Requests and Feedback » WP 2.0.2 Update Coming?

  • Just curious if/when we will see an update to address the recently publicized security issues with WP 2.0.1?

Viewing 15 replies - 16 through 30 (of 55 total)
  • Oh, and as a follow-up, does your list show which plugins are activated? I could have 200 plugins in my folder, but if none of them are active, then what? Somebody please correct me if I’m wrong, but if a plugin is deactivated, it can’t really be used against me, eh?

    Besides, I only install plugins from trusted sources. I’d be more concerned about installing a plugin where someone has malicious code hidden in the plugin somewhere.

    masquerade:

    there is no sane way for every script and plugin to silently fail without bloating code.

    Try this:

    if (eregi(‘script-name.php’, $_SERVER[‘PHP_SELF’]))
    die(‘You cannot run this script directly’);

    That’s one line of code. Hardly what I’d call bloat. Very simple to add to any plugin not meant to be called directly by an end user (change “script-name.php” to the actual name of the script the code is included in) .

    This is good for one particular reason: Depending on how a PHP script/plugin is written, it might be able to take action on a system, even if it is not “active” in the WP config. Same goes for any PHP code actually.

    NuclearMoose:

    Somebody please correct me if I’m wrong, but if a plugin is deactivated, it can’t really be used against me, eh?

    Depends entirely on how that code is written. So yes, it’s possible that it could be used against your system.

    If you want to know what plugins I use, I also happen to post a complete list here:
    http://nuclearmoose.ca/colophon/

    Bad idea, in my opinion. No sense giving intruders free info to potentially use against you.

    NuclearMoose, depending on the actual threat, a plugin can be used against you without activation.

    WP has been around the path disclosure merry-go-round again and again. There is most likely nothing anyone can say that hasn’t been brought up in past attacks and defenses about the issue.

    Serious discussion about path disclosure and whether it’s a bug belongs in http://lists.automattic.com/mailman/listinfo/wp-hackers

    I’d recommend that anyone with an urge to respond further to this thread consider whether their positions haven’t been summed up by marke1 & scaturan on one side or masquerade on the other already. The average user just wants to know whether they need to worry about anything new or critical, and the WP devs have decided that they don’t. Disputing this decision is best done on the wp-hackers mailing list. Thanks.

    if (eregi(‘script-name.php’, $_SERVER[‘PHP_SELF’]))
    die(‘You cannot run this script directly’);

    This will not work on hosts running PHP as CGI and will cause scripts to die upon inclusion of a file. This violates the WordPress coding standards, and wouldn’t be committed anyways. Also imagine a url like /?dl=script-name.php, where a proper check like a strpos would return true. To create a proper check, you’ve just created a 30 line script.

    Just some simple advice for “average WP users”:

    — put an empty index.php file in every directory on your WP install that doesn’t have it’s own index.php file (e.g. don’t overwrite existing index.php files!)

    — don’t tell people what plugins you use

    Overall, I’d say the security issues posted by Neo Security Team on 27 Feb 2006 are not, in and of themselves, a problem. BUT, they could be used in some sort of combined attack at a later date.

    There is one way to nip all this in the bud so that WP users don’t become overly excited when it crops up in the future: Guard against it in the WP code. That’d be about the end of it, wouldn’t it?

    podz writes on the wp-hackers mailing list:

    ——————————
    http://wordpress.org/support/topic/63115?replies=4

    Please kill this in the forums.
    Or not…

    P.

    ——————————

    http://comox.textdrive.com/pipermail/wp-hackers/2006-March/005146.html

    Please censor open, on-topic discussion?

    LOL !

    Directory listing, which in turn exposes plug-in names, is never being linked to. Thus, it will not be indexed by search engines and flawed plug-ins will not be easily discoverable.

    You could trivially scan many blogs using a script in attempts to find vulnerabilities. PHP-Nuke, Advanced Guestbook and Coppermine are notorious in that respect.

    All in all, getting a list of plug-ins may be a convenient way for learning the blog’s composition. If you target a particular vulnerability (due to third-party code), it gives the hacker no advantage. That, marke1, is why your argument and its ludicrous, overstated backing are void.

    easy there sparky. perhaps he meant “kill it” as in, respond and put to rest? At least, that’s how I took it.

    Nobody said anything about censoring…where’d you get that idea, marke1?

    BTW, thanks for the clarification on activated plugins versus deactivated ones, marke1 and Firas.

    I think that this whole “don’t tell anyone what plugins you use” is bullshit. Total bullshit. All you have to do is LOOK at most WP blogs, and you can tell right away that they are using various plugins, based on what you see in their content and such. Recent comments, recent posts comes to mind. Also, all you have to do is view the source of a blog and often you can see what javascript is being used and some plugins and such use CSS in such a way that you can see that a certain plugin is used:

    div class=”sb-latest” – easy to see what plugin that’s from.

    /wp-content/themes/k2/js/livesearch.js.php

    Should I hide the fact that I use WordPress for my blog? Why give that information to hackers?

    Should I hide the fact that I use a certain template for my blog?
    Why give that information to hackers?

    Oh, wait…maybe the WP devs are irresponsible for telling the world that you can use PHP, Apache, and mySQL to support your blog code. God knows that information is helpful to hackers, isn’t it?

    I know, I’ll just disconnect from the internet and then I’ll be safe from everything!

    BUT, they could be used in some sort of combined attack at a later date.

    When the “Neo Security Team” actually comes up with a working combined attack, that will be something worthy of note. What they’ve reported here is known and so repeatedly explained that knowledgeable WordPress folks often don’t bother responding to its ilk any more.

    What concerns me is that some outfit calling itself a “security team” can come along and write about so-called vulnerabilities in software and be taken seriously. What credentials does this group have? Where did they learn to write in such poorly-spelled and grammaticized English? And how can a person place any faith in an outfit whose security reports often begin, “Maybe you think this kind of bugs are not bugs…”?

    If you’ve even bothered to try the suggested attack methods in the report, you know that some don’t even work as described!

    In spite of the folderol generated in response to this “threat”, take note that at least 5 highly prominent WordPress contributors have considered the issue thoughtfully enough to respond. Just recall that fact when you imagine a real threat report crossing the WordPress event horizon.

    And regarding computer security in general, NuclearMoose: The safest place for your data is not in a computer. Security is always a trade-off for convenience. The more convenience you get, the less security you have. See also: Airport body cavity searches – Less convenient? Yes. More secure? Arguably. 😉

    Take note of some Codex remarks on the subject of security in WordPress:

    http://codex.wordpress.org/Hardening_WordPress
    http://codex.wordpress.org/User:ringmaster/Hardening_WordPress

    NuclearMoose:

    I know, I’ll just disconnect from the internet and then I’ll be safe from everything!

    This might help — the world’s only truly secure firewall:
    http://www.acehardware.com/product/index.jsp?productId=1340674

    LOL ! All in good fun…

    ringmaster:

    What concerns me is that some outfit calling itself a “security team” can come along and write about so-called vulnerabilities in software and be taken seriously.

    Security is relative, as you point out. So obviously levels of concern differ. In my opinion, the less intruders know, the better off my sites are. This is indeed a bit of security through obscurity, and it does help.

    Once bitten, twice shy — as the saying goes.

    Thanks for the link to the hardening doc. That’ll be helpful.

    marke1 said:
    This might help — the world’s only truly secure firewall:
    http://www.acehardware.com/product/index.jsp?productId=1340674

    LOL! Good one! 🙂

    There is already a 2.0.2 in the works. You can track it in SVN under ‘/branches/2.0’. I know that the comment form XSS bug is already taken care of, and I’m sure that the other issues mentioned will be taken into consideration.

    That said… The XSS bug is hard to exploit, because you pretty much have to target a particular individual.

    Directory listings are the result of server settings that go beyond WordPress. Yes, we can get rid of it by adding an empty index.php file, but it’s misleading to call this a bug in WP.

    Disallowing direct access to some of the files may be a good idea, as noted.

Viewing 15 replies - 16 through 30 (of 55 total)
  • The topic ‘WP 2.0.2 Update Coming?’ is closed to new replies.