RE: RE: A quick update on the security issue I'dmentioned today
Matt Mullenweg wrote:
> If the attacker is able to upload and execute a file on the server, it's
> already far beyond where we could do anything on the WordPress level to
> protect that site. What you describe is a pretty clever hack once things
> are already on the server, though. Thanks for continuing to investigate
Thanks for being cool about it, Matt.
And I agree with your statement too: getting this stuff on the server is
next to impossible in most situations and is specifically what WordPress has
taken steps to combat.
I'm glad I did this though, because I'd thought I'd secured my semi-public
upload directory fairly well. However, I instead just proved that you can
only protect yourself from what you know about.
As the saying goes:
"If you know the enemy and know yourself,
you need not fear the result of a hundred battles.
If you know yourself but not the enemy,
for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself,
you will succumb in every battle."
Sun Tzu's Art of War. Chapter 3 verse 18