RE: RE: A quick update on the security issue I'dmentioned today

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: RE: A quick update on the security issue I'dmentioned today

Brian Layman
Matt Mullenweg wrote:
> If the attacker is able to upload and execute a file on the server, it's
> already far beyond where we could do anything on the WordPress level to
> protect that site. What you describe is a pretty clever hack once things
> are already on the server, though. Thanks for continuing to investigate
> this.

Thanks for being cool about it, Matt.  

And I agree with your statement too: getting this stuff on the server is
next to impossible in most situations and is specifically what WordPress has
taken steps to combat.

I'm glad I did this though, because I'd thought I'd secured my semi-public
upload directory fairly well. However, I instead just proved that you can
only protect yourself from what you know about.

As the saying goes:

"If you know the enemy and know yourself,
     you need not fear the result of a hundred battles.  
If you know yourself but not the enemy,
     for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself,
     you will succumb in every battle."
Sun Tzu's Art of War. Chapter 3 verse 18
http://www.chinapage.com/sunzi-e.html


_______________________________________________
Brian Layman
www.TheCodeCave.com
 



_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Loading...