WP 2.0.2 Update Coming?
-
Just curious if/when we will see an update to address the recently publicized security issues with WP 2.0.1?
-
Still happy this thread isn’t closed ??
I thought it might be educational to test the following statement,
“The idea here is to promote the use of webhosts with some bit of sanity.”
Why not take a look at the “sanity” of some the hosts that are advertised on www.ads-software.com??? And of course, lets make sure that these are “average user” blogs, NOT the box owner’s blog, or a site that would be considered “high-profile” like boing-boing.
First, I decided to locate a blog hosted on yahoo, wordpresses latest preferred host, and see what kind of sanity THEY offer.
The first blog I located was https://blog.alanguilan.com .. there is a little hosted by yahoo image on the lower right, and a traceroute confirms it’s hosted on yahoo.
A simple directory listing could be done:
https://blog.alanguilan.com/wp-includes/Were php errors supressed? yes.
The second host was bluehost, the blog is https://www.sugaredharpy.com (again verified using traceroute)
Not surprisingly, a full path disclosure was possible:
https://www.sugaredharpy.com/wp-settings.php
as well as a directory listing:
https://www.sugaredharpy.com/wp-includes/
Next in line is dreamhost and the chosen blog is https://www.squarefree.com (traceroute verified)
A directory listing was available:
https://www.squarefree.com/wp-includes/
as was a full path diclosure:
https://www.squarefree.com/wp-admin/edit-form-advanced.php
I was not able to locate a “regular user” blog on laughing squid, nor was I able to locate one on anhosting.
But i think my point is made.
So much for promoting webhosts with “sanity”. Any more “full of crap” excuses you would like to toss out, masquerade???
Apologies to those blogs that I poked around in.
Give me a fucking break. Four lines of code is bloat? I think not.
4 * 357 is.
You also mistake me for having anything to do with what hosts are listed on the page on www.ads-software.com, or my views even being remotely close to what any of the devs may think. I’m simply stating my thoughts on why things should remain as they do, and personally if I had my choice, the list of hosts on the Hosting page would not be what they are today (Dreamhost and Bluehost particularly, they’ve gone to hell over the years, and anywhere with a WP auto-install is pretty low on the list of hosts that should be recommended, as guess what permissions files are left laying around as?), but then again, money speaks, doesn’t it?
Besides, how will hosts ever know that they aren’t configured correctly until someone says “Well shit, because you guys didn’t follow the recommended standards for a PHP host and left error reporting on, my site was hacked, and your server rooted.” It takes learning by hard example to get people to comply, and if that’s so, its fine with me, there’s little other way.
I don’t get the big deal about full path disclosure. I mean, chances are after a few tries, I could probably guess the path for 50-75% of the sites out there as it’s usually a pretty standard path for sites.
its not the path, per say, viper, its the username. Thats 1/2 of whats neccessary to access just about everything related to any webhosting account. And its 1/2 more than need be available to anyone that might have malicious intentions.
As for you, masquerade, I think youve already been put in your place. I expect you wont be approving my pingback to your recent reply on your blog. No loss.
Delete this
vkaryl:
Now just who was it brought this whole thing out to the generalized script-kiddie surfing public?
Looks to me like it was Neo Security Team. They posted it to the oldest and most popular security mailing list on the planet. . . I thought that was already made glaringly obvious.
What’s your point?
a) I know who weeklytips is. Whee. Quick editing though — nice save.
b) *marke1 – I suspect Vkaryl was delicating suggesting that you brewed this teapot’s current tempest by bringing the excitement here to, largely, a crowd of folks who don’t follow security mail lists. Thus perphaps putting “bad thoughts” into some impressionable minds.
HandySolo:
b) I suspect Vkaryl was delicating suggesting that you brewed this teapot’s current tempest by bringing the excitement here to, largely, a crowd of folks who don’t follow security mail lists. Thus perphaps putting “bad thoughts” into some impressionable minds.
I’ve been a member of Bugtraq security mailing list (where NST posted their findings) for so long that I honestly forgot when I joined. One thing I’ve seen in all that time is that once something is posted there it’s nearly instantly known by the entire black hat (bad guys) community. Therefore, I don’t see any harm in asking about it here in a somewhat constrained manner. In fact, if you notice, I didn’t post any direct info or any links in my initial post. That was entirely intentional. After another forum member linked to the rebuttal info then the cat was out of the bag in so far as readers of this forum go.
a) I know who weeklytips is. Whee. Quick editing though — nice save.
as do I, and it was a sloppy save. he was too busy pulling half-baked answers out of his ass to remember who he was logged in as apparantly.
- The topic ‘WP 2.0.2 Update Coming?’ is closed to new replies.