WP 2.0.2 Update Coming?

by marke1:
Overall, I’d say the security issues posted … are not, in and of themselves, a problem. BUT, they could be used in some sort of combined attack at a later date.

exactly. esp when playing around with xss in comments.

For (hopefully the last) time, there is no XSS vulnerability, the only person’s machine that you can run code on is your own. The vulnerability is bogus, its simply a bug in cookie input validation that could allow someone to execute javascript on their own machine.

I’m happy to see that this rather entertaining thread wasn’t closed. The question on the hackers list was not if it should be deleted, but closed.

On the matter, which really should be on that list, I’ll give my support to the statement, that allowing directory listing or not, is a matter of configuring the web server.

It should be taken care of by the service provider or server owner. On my host it is disallowed by default. On hosts with the opposite policy, the user could disallow directory browsing in a .htaccess file in his/her document root.

All of the “vunlerabilites” debunked here:

https://somethingunpredictable.com/archives/01/03/2006/wordpress-vulnerabilities-bogus/

??

Just make a damn zip file and a update.php and we will be happy. What’s so hard about that? Now the XSS is widely known.

Posted to the Hackers list.
Seen by people who know the WordPress code inside out.
Seen by people who if there was the slightest thing wrong would jump on it.

“What needs clarification is that there is no XSS, nobody can remotely take down your blog or change your pages, potentially steal your login information with malicious javascript, etc.”

If there WAS any threat to a WordPress blog from someone who had nothing to do with that blog, then something would have been said and done by now. There are enough critics of WordPress that we would have more noise about this than we do have.

I have to agree with one thing .. path disclosure IS a serious issue. Ive submitted it to Mosquito before …
Whether you call it a server misconfiguration OR an application issue, its still something that needs adressing.

phpBB adresses it.
vbulletin adresses it.
b2evolution adresses it.

—
follow this:

Matt: Lets make it so people have this nifty convenience feature that lets them edit files in the backend. It will be good for the people that cant find an ftp client (huh??) or are just too lazy to download. Its ok that the files to be edited need to be chmod 777.

The above is done to make things easier on newbs, I presume. As someone that knows better, aka a NON-newb would never fall for leaving files as world-writable.

Next breath …

Matt: Lets rely on the user to manage php error reporting and any potential path disclosures.

The above suggests that Matt thinks the afore-mentioned newb actually knows how to handle such things.

—

In other words, in one breath you dumb it down, and as a result, have security issues, and in the next, you dont dumb it down and have security issues.

At the very least, some consistency would be nice. I have to wonder sometimes who this application is actually being coded for.

podz wrote:

There are enough critics of WordPress that we would have more noise about this than we do have.

Criticism can be a very good thing. Without it, ideas aren’t nearly as bountiful.

At the same time, taking offense to criticism is wasted energy. Pointing out FACTS — e.g. Truth — is enough, otherwise one is dragged into the melee. Sometimes it’s best to address malicious critics indirectly, so as to avoid giving them your energy.

Waxing philosophic there, I know.

marke1 – and if you’d read enough posts around here and on lists you’d know that I do criticise.

I agree with your point, but I’m not a Yes-man ??

whooami:
I have to wonder sometimes who this application is actually being coded for.

That makes (at lest) two of us. Although I didn’t need this thread for it.

podz:

marke1 – and if you’d read enough posts around here and on lists you’d know that I do criticise.

If I only had time to do everything that I’d like to do. But alas, other things take precendence. So I can only participate here now and then. I’ve been to this forum countless times, and I am a huge fan of WP. Excellent code.

And hey, bbPress is good too. I use it.

I have to agree with one thing .. path disclosure IS a serious issue. Ive submitted it to Mosquito before …
Whether you call it a server misconfiguration OR an application issue, its still something that needs adressing.

phpBB adresses it.
vbulletin adresses it.
b2evolution adresses it.

If ten projects bloat code by adding four lines to each file to protect against path disclosure, should we follow just because they do it? Just because another software does it doesn’t mean its a good idea or even necessary (especially when one of your references is phpBB, of all things to reference. phpBB just needs this because their record of security vulnerabilities which this could assist is huge.)

The idea here is to promote the use of webhosts with some bit of sanity. Nobody said for the average user to know how to change settings, but hosts should, and they should be responsible. There comes a limit to what a PHP script should have to do to work around the problems with webhosts, and path disclosure is one of those limits.

masquerade:

The idea here is to promote the use of webhosts with some bit of sanity. Nobody said for the average user to know how to change settings, but hosts should, and they should be responsible.

This is one crux of the matter of development. Should developers try to protect users from both themselves and lax admins, or not? Opinions differ. Regardless, the more popular an application becomes the more often people will look for holes in it.

For example, OS X has enjoyed obscurity in the sense that intruders haven’t poked around with it too much — until lately. It’s the same old thing we see everywhere in life: Tell somebody they can’t and they will sure as hell try!

So having what appears to be an “admin-only XSS” issue will raise awareness among intruders to look to see if they can find something that the original discoverer missed. It’s a game to many of those people.

Best thing to do is sanitize all input so it’s not possible against any user account. As for directory browsing, again that’s real easy to protect against (in case the user or admin doesn’t): include a blank index.php file in every directory that doesn’t have useful one already. Then this issue will never come up again.

“If ten projects bloat code by adding four lines to each file to protect against path disclosure, should we follow just because they do it?”

Give me a fucking break. Four lines of code is bloat? I think not.
…

“The idea here is to promote the use of webhosts with some bit of sanity.”

It is? So you mean to suggest that because of “principal” an application developer shouldn’t do SIMPLE things to make their apps more secure? That’s one the most ridiculous excuses I think I have heard here.

You’re a riot. It’s nice to know that everyone here has the end-user in mind. Not.

God forbid other developers are so high and mighty. Are you by chance looking for work at Microsoft, you would undoubtedly fit in.

marke1 –

I quote: So having what appears to be an “admin-only XSS” issue will raise awareness among intruders to look to see if they can find something that the original discoverer missed. It’s a game to many of those people.

Now just who was it brought this whole thing out to the generalized script-kiddie surfing public?

Hmmm.