 |
From: Moritz 'Morty' Strübe <mo...@gmx.net>
Date: Sun, 23 Sep 2007 12:33:08 +0100
Local: Sun, Sep 23 2007 7:33 am
Subject: Re: [wp-hackers] Plugin update & security / privacy
Viper007Bond schrieb:
> Your logic is flawed. You assume that someone looking to exploit won't And as the version gets transmitted you also get a nice list of outdated > attack the latest version. This is usually untrue. blogs. > If a serious exploit is Didn't I already say I thought of that? > found, hackers usually just Google for "WordPress" > (it's already on your That's why I'm referring to plugins. Opposed to Wordpress plugins have > site for "powered by WordPress") or like wp-login.php and then attempt to > exploit it, regardless of version. If some database somewhere somehow did > get leaked, then all it'd do is just make the hackers job easier -- it > wouldn't enable them. fewer installations and often maintained by a single person. Fewer installations makes them less interesting for attacks, because it is not always easy to find them. But if you have a nice list, including the version in use.... The problem with the single person is, that this person is maintaining the plugin in his spare time. Opposed to Wordpress it self where a lot of people, making money, are interested in Wordpress being safe. > And by checking for an update, your server's IP address is sent First of all you don't need a reverse lookup as you can just enter the > automatically. It wouldn't be hard to reverse lookup that IP. IP. Second if you do a reverse lookup you often only get something linke serverxy.hoster.tld, because most people don't want to spend so much money for a v-server or even a real server. Therefore the IP doesn't help you that much. Of couse you can check all the Domains on that Host, but you would also have to check for subdomains and or subdirectories. Of course there are people where you can start an attack using the IP or with the domain you get with a reverse lookup, but those are not the installations I'm worried about. BTW: Being able to access a server by IP number or the reverse DNS-entry is a security flaw in my eyes, but that is another matter. Or in short: The IP helps you, but not much. > Simply put, if you really insist on wearing a tin foil hat, it's uber easy I do not want to do that! And I never suggested that! (I hope you know > to disable the automatic update checker. what a md5 is....) > For the other 99.99999% of people But still that is no reason to tell everybody which version I'm running. > out there, this feature will be a godsend to them in both terms of new > features and more importantly, the _only_ real way to make sure your site > doesn't get hacked -- by running the latest version. And sorry I'm not able to update my Software 24/7. This is no f*ck'n pro/contra update checking discussion. It is a: Do you really need to collect all this information? And do you know that collecting it is a reasonable threat? Because if there is a security update and someone does get that list he can run an attack on those hosts who haven't updated yet. Morty > On 9/23/07, Moritz 'Morty' Strübe <mo...@gmx.net> wrote: -- >> I know this will not change until Monday, but is it really necessary to >> -> update.php:85 $http_request .= 'User-Agent: WordPress/' . >> Cheers >> _______________________________________________ strübe.de <http://xn--strbe-mva.de> Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen Meinen PGP/GPG-Key gibt es auf den üblichen Keyservern. _______________________________________________ You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||