Account Options

  1. Sign in
The old Google Groups will be going away soon.
Switch to the new Google Groups.
Google Groups Home
« Groups Home
wp-hackers
Home
+ new post
About this group
Join this group
Message from discussion Plugin update & security / privacy
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Viper007Bond  
View profile  
 More options Sep 23 2007, 6:52 am
From: Viper007Bond <vi...@viper007bond.com>
Date: Sun, 23 Sep 2007 03:52:41 -0700
Local: Sun, Sep 23 2007 6:52 am
Subject: Re: [wp-hackers] Plugin update & security / privacy
Print | View thread | Show original | Report this message | Find messages by this author
Your logic is flawed. You assume that someone looking to exploit won't
attack the latest version. This is usually untrue. If a serious exploit is
found, hackers usually just Google for "WordPress" (it's already on your
site for "powered by WordPress") or like wp-login.php and then attempt to
exploit it, regardless of version. If some database somewhere somehow did
get leaked, then all it'd do is just make the hackers job easier -- it
wouldn't enable them.

And by checking for an update, your server's IP address is sent
automatically. It wouldn't be hard to reverse lookup that IP.

Simply put, if you really insist on wearing a tin foil hat, it's uber easy
to disable the automatic update checker. For the other 99.99999% of people
out there, this feature will be a godsend to them in both terms of new
features and more importantly, the _only_ real way to make sure your site
doesn't get hacked -- by running the latest version.

On 9/23/07, Moritz 'Morty' Strübe <mo...@gmx.net> wrote:

> I know this will not change until Monday, but is it really necessary to
> transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
> find WP-Blogs via google. But imagine have them all nicely in a database
> - All of them. Including version, plugins and so on. If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

> -> update.php:85     $http_request .= 'User-Agent: WordPress/' .
> $wp_version . '; ' . get_bloginfo('url') . "\r\n";

> Cheers
> Morty

> _______________________________________________
> wp-hackers mailing list
> wp-hack...@lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Viper007Bond | http://www.viper007bond.com/
_______________________________________________
wp-hackers mailing list
wp-hack...@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2012 Google