full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] WordPress Community Vu

Re: [Full-disclosure] WordPress Community Vulnerable

From: Steven Adair <steven_at_nospam>
Date: Thu May 24 2007 - 17:27:41 GMT
To: "Paul Schmehl" <pauls@utdallas.edu>


> --On Thursday, May 24, 2007 09:44:02 -0500 Steven Adair
> <steven@securityzone.org> wrote:
>
>> So do you think his two WordPress blogs (I am assuming here..looks a lot
>> like WP, but I'm not pounding out GET requests to verify) were included
>> in
>> this "survey" that was done? I wonder if he's running a safe version?
>> And as mentioned in one of his blog comments, version reporting isn't
>> always reliable and patches that did not change the extractable version
>> number could have also been applied.
>>
>> In any event, I think WordPress has increasingly become more secure.
>> It's
>> had a small rash of issues a few months back ranging from SQL injection
>> to
>> someone actually backdooring the source, but it's grown up quite a bit.
>> I
>> think someone would be hard pressed to actually come up with the Month
>> of
>> Wordpress bugs. The majority of all other recently reported issues have
>> all from third party add-ons that aren't actually a part of WordPress.
>>
> Yes, but the point of his post isn't that *Wordpress* is insecure. It's
> that blog owners are not updating their software to maintain security.
> While anyone in IT would go "doh!", many in the "real" world might be
> surprised that the software has to be regularly updated and vigorously
> maintained to ensure ongoing security.
>
> This isn't exactly news for us, but it may well be for the blogosphere in
> general.
>

Perhaps, but there is an assumption that may be incorrect that these blogs are insecure. Also, there is no mention of how the survey was done. I could probably go out and make a list of 2000 blogs where only one of them wasn't the latest version. I do understand his point though, and I guarantee you can find well over 50 older version WP blogs that are vulnerable. However, part of my response was geared towards Larry's post about the possibility MoWPB (Month of WordPress Bugs) -- which is something I just don't see happening.

Steven

> --
> Paul Schmehl (pauls@utdallas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/