Security. Forum post - 2.0.1 has holes.

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Security. Forum post - 2.0.1 has holes.

Podz
http://wordpress.org/support/topic/63115?replies=4

Please kill this in the forums.
Or not...

P.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Podz

Can I suggest a Dev Blog post today that will kill this security crap in
the forums, or the release of a fixed up 2.0.2 ?

I don't think ignoring this stuff is the best approach.

P.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Sebastian Herp
Podz wrote:
> Can I suggest a Dev Blog post today that will kill this security crap in
> the forums, or the release of a fixed up 2.0.2 ?
>
> I don't think ignoring this stuff is the best approach.
Why not? It's a false alarm. I tried it and it only works as admin. Why
should I hack a blog, when I am already an admin ... big deal!
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Robert Deaton
On 3/2/06, Sebastian Herp <[hidden email]> wrote:
> Podz wrote:
> > Can I suggest a Dev Blog post today that will kill this security crap in
> > the forums, or the release of a fixed up 2.0.2 ?
> >
> > I don't think ignoring this stuff is the best approach.
> Why not? It's a false alarm. I tried it and it only works as admin. Why
> should I hack a blog, when I am already an admin ... big deal!

And the average user who happens to hear about a vulnerabilty posted
on secunia, who has a history of posting serious threats, now thinks
that their install is vulnerable, and now we have countless people
coming on IRC and the forums wondering when there will be a security
upgrade.

--
--Robert Deaton
http://somethingunpredictable.com

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Jason Salaz
Robert Deaton wrote:

> On 3/2/06, Sebastian Herp <[hidden email]> wrote:
>> Podz wrote:
>>> Can I suggest a Dev Blog post today that will kill this security crap in
>>> the forums, or the release of a fixed up 2.0.2 ?
>>>
>>> I don't think ignoring this stuff is the best approach.
>> Why not? It's a false alarm. I tried it and it only works as admin. Why
>> should I hack a blog, when I am already an admin ... big deal!
>
> And the average user who happens to hear about a vulnerabilty posted
> on secunia, who has a history of posting serious threats, now thinks
> that their install is vulnerable, and now we have countless people
> coming on IRC and the forums wondering when there will be a security
> upgrade.

All Podz wants is a post people will see in their dash's, and on the planet.
We know it's hokey, we know it's pure BS, but how many of them read this
list?
People need warm and fuzzy re-assurance with an overview of a few
reasons why, not a full documented/detailed response.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Andy Skelton
On 3/2/06, Jason S. <[hidden email]> wrote:
> All Podz wants is a post people will see in their dash's, and on the planet.
> We know it's hokey, we know it's pure BS, but how many of them read this
> list?

Exactly. It heads off the stampede. Head 'em up! Move 'em out!

Andy
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Craig-16
In reply to this post by Sebastian Herp
Ignoring it means that all of the chicken littles will continue to squawk
about the end of the world and silence from the devs will be interpreted as
either colusion or a  behind-the-scenes cover-up  that the devs are secretly
working on to fix without admitting there is a problem.

I've seen it all before, and it sucks the life out of the forum volunteers
as they have to devote energy to explain to the majority of non-fear
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Podz
In reply to this post by Sebastian Herp
Sebastian Herp wrote:
> Podz wrote:
>> Can I suggest a Dev Blog post today that will kill this security crap in
>> the forums, or the release of a fixed up 2.0.2 ?
>>
>> I don't think ignoring this stuff is the best approach.
> Why not? It's a false alarm. I tried it and it only works as admin. Why
> should I hack a blog, when I am already an admin ... big deal!

Do you think I ask for this because I'm bored and can't think of
anything else to do on a Thursday? Do you realise how incredibly
annoying this is when we have to continually defend WordPress? Do you
realise how many times this has happened before and that we KNOW a post
by Matt shuts them all up? No? Right, trust me okay?

I'll be honest though - if it wasn't for the dashboard I think something
may well have been posted.

P.


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Roy Schestowitz-2
In reply to this post by Craig-16
_____/ On Fri 03 Mar 2006 06:10:47 GMT, [Craig] wrote : \_____

> Ignoring it means that all of the chicken littles will continue to squawk
> about the end of the world and silence from the devs will be interpreted as
> either colusion or a  behind-the-scenes cover-up  that the devs are secretly
> working on to fix without admitting there is a problem.
>
> I've seen it all before, and it sucks the life out of the forum volunteers
> as they have to devote energy to explain to the majority of non-fear

There is also a negative impact when one posts an item titled "Don't worry,
WordPress is safe". It shows doubt. If Mark fears is concerned the privacy
of his poison (plug-ins), then he should toss a blank index in the plug-ins
directory. If you accept his argument and post clarifications about this
so-called 'vulnerability', what will be next?

People could start a commotion over other aspects which are consiered more
serious 'vulnerabilities'. Users could argue about serious matters like the
reluctance to lock WordPress after a particular number of failed logins
(still?) or the disclusion of 'out of the box' DDOS attack protection.

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Robert Deaton
On 3/3/06, Roy Schestowitz <[hidden email]> wrote:
> There is also a negative impact when one posts an item titled "Don't worry,
> WordPress is safe". It shows doubt. If Mark fears is concerned the privacy
> of his poison (plug-ins), then he should toss a blank index in the plug-ins
> directory. If you accept his argument and post clarifications about this
> so-called 'vulnerability', what will be next?

The vulnerabilities published are much worse than this, and of all
this needs the least clarification. What needs clarification is that
there is no XSS, nobody can remotely take down your blog or change
your pages, potentially steal your login information with malicious
javascript, etc.

> People could start a commotion over other aspects which are consiered more
> serious 'vulnerabilities'. Users could argue about serious matters like the
> reluctance to lock WordPress after a particular number of failed logins
> (still?) or the disclusion of 'out of the box' DDOS attack protection.

DDOS protection comes at a level much earlier than WordPress, and in
order for WordPress itself to know that it may be coming under DDOS,
WordPress has to store additional data in the database or on the
filesystem. Each write is more harmful than the last, and really
trying to stop DDOS attacks is opening yourself up to more.

DDOS at this level is targetting the hardware and the underlying
components of a website, the HTTP server, the network stack, the
bandwidth limits of your PCI buses, not the software, and anyone who
argues that WordPress needs builtin DDOS protection is a fool imho.

--
--Robert Deaton
http://somethingunpredictable.com

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Gustavo Barron-2
In reply to this post by Podz
Podz escribió:

> Sebastian Herp wrote:
>  
>> Podz wrote:
>>    
>>> Can I suggest a Dev Blog post today that will kill this security crap in
>>> the forums, or the release of a fixed up 2.0.2 ?
>>>
>>> I don't think ignoring this stuff is the best approach.
>>>      
>> Why not? It's a false alarm. I tried it and it only works as admin. Why
>> should I hack a blog, when I am already an admin ... big deal!
>>    
>
> Do you think I ask for this because I'm bored and can't think of
> anything else to do on a Thursday? Do you realise how incredibly
> annoying this is when we have to continually defend WordPress? Do you
> realise how many times this has happened before and that we KNOW a post
> by Matt shuts them all up? No? Right, trust me okay?
>
> I'll be honest though - if it wasn't for the dashboard I think something
> may well have been posted.
>
> P.
>  
In the spanish speakers community, started linking this "XSS", and
making a little bad publicity to the project, as for myself, I just
discovered this posts on many blogs, and started explaining that there
isnt any threat on this. But well, we really need to put this on the the
dev blog.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Security. Forum post - 2.0.1 has holes

Sebastian Herp
In reply to this post by Podz
I'm sorry, didn't want to sound rude and I really appreciate what you
are doing for Wordpress. I just didn't _see_ the full extend of this
little incident. People who don't know better - most of them - really
freak out fast if some high instance speaks of vulnerabilities in their
favorite piece of software.

And I agree. One word from Matt would be really helpful now. People
start not believing me it's safe, even if I let them execute the posted
exploit on their own blog :-) ... maybe they believe Matt :-)

Greetings

Podz wrote:

> Do you think I ask for this because I'm bored and can't think of
> anything else to do on a Thursday? Do you realise how incredibly
> annoying this is when we have to continually defend WordPress? Do you
> realise how many times this has happened before and that we KNOW a post
> by Matt shuts them all up? No? Right, trust me okay?
>
> I'll be honest though - if it wasn't for the dashboard I think something
> may well have been posted.
>
> P.
>
>  

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers