Plugin update & security / privacy - Data sent - wp-hackers

The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Message from discussion Plugin update & security / privacy - Data sent
Received-SPF: neutral (google.com: 207.7.108.189 is neither permitted nor denied by best guess record for domain of wp-hackers-boun...@lists.automattic.com) client-ip=207.7.108.189;
Message-ID: <46F66A5A.6000808@gmx.net>
Date: Sun, 23 Sep 2007 14:30:02 +0100
From: =?UTF-8?B?TW9yaXR6ICdNb3J0eScgU3Ryw7xiZQ==?= <mo...@gmx.net>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: wp-hack...@lists.automattic.com
Subject: Re: [wp-hackers] Plugin update & security / privacy - Data sent
References: <46F6336D.7010...@gmx.net>
In-Reply-To: <46F6336D.7010...@gmx.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Reply-To: wp-hack...@lists.automattic.com
Sender: wp-hackers-boun...@lists.automattic.com
Errors-To: wp-hackers-boun...@lists.automattic.com

To get some facts out added some debugging output.
Notice that there are 11k of data transmitted. Also of course your
Wordpress version and your url (which I already encapsulated in a md5).
IMHO a list of plugin names and a answer with the current version
numbers is enough data to be transmitted.

The request:

POST /plugins/update-check/1.0/ HTTP/1.0
Host: api.wordpress.org
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
Content-Length: 11000
User-Agent: WordPress/2.3-RC1; 4b028de5098db7fb05c6d6dd264de215

And the data:

data:object(stdClass)(2) {
  ["plugins"]=3D>
  array(15) {
    ["akismet/akismet.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(7) "Akismet"
      ["Title"]=3D>
      string(71) "<a href=3D"http://akismet.com/" title=3D"Visit plugin h=
omepage">Akismet</a>"
      ["Description"]=3D>
      string(354) "Akismet checks your comments against the Akismet web s=
ervice to see if they look like spam or not. You need a <a href=3D"http:/=
/wordpress.com/api-keys/">WordPress.com API key</a> to use it. You can re=
view the spam it catches under &#8220;Comments.&#8221; To show off your A=
kismet stats just put <code>&lt;?php akismet_counter(); ?></code> in your=
 template."
      ["Author"]=3D>
      string(80) "<a href=3D"http://photomatt.net/" title=3D"Visit author=
 homepage">Matt Mullenweg</a>"
      ["Version"]=3D>
      string(5) "2.0.2"
    }
    ["cjd_delete_de.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(35) "CJD-<br />Spam Nuke <br />(deutsch)"
      ["Title"]=3D>
      string(121) "<a href=3D"http://chrisjdavis.org/category/wp-hacks/" =
title=3D"Visit plugin homepage">CJD-<br />Spam Nuke <br />(deutsch)</a>"
      ["Description"]=3D>
      string(216) "Dieses Plugin macht all die Kommentare sicht- und l&ou=
ml;schbar, die mit dem Attribut &#8216;Spam&#8217; in der Datenbank herum=
liegen. Deutsche Bearbeitung: <a href=3D"http://www.journal.kylaloo.net/"=
>Mathias Hundt</a>"
      ["Author"]=3D>
      string(105) "<a href=3D"http://chrisjdavis.org/" title=3D"Visit aut=
hor homepage">Chris J. Davis, Scott (skippy) Merill</a>"
      ["Version"]=3D>
      string(5) "1.5.3"
    }
    ["follow.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(10) "Follow-URL"
      ["Title"]=3D>
      string(79) "<a href=3D"http://blog.taragana.com" title=3D"Visit plu=
gin homepage">Follow-URL</a>"
      ["Description"]=3D>
      string(108) "Dieses Plugin entfernt das <strong>nofollow</strong>-A=
ttribut, dass WordPress an Links in Kommentaren setzt."
      ["Author"]=3D>
      string(90) "<a href=3D"http://blog.taragana.com/" title=3D"Visit au=
thor homepage">Angsuman Chakraborty</a>"
      ["Version"]=3D>
      string(3) "1.0"
    }
    ["gengo/gengo.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(5) "Gengo"
      ["Title"]=3D>
      string(88) "<a href=3D"http://jamietalbot.com/wp-hacks/gengo/" titl=
e=3D"Visit plugin homepage">Gengo</a>"
      ["Description"]=3D>
      string(180) "Multi-language blogging for WordPress.<br/>Licensed un=
der the <a href=3D"http://www.opensource.org/licenses/mit-license.php">MI=
T License</a>, Copyright &copy; 2006-2007 Jamie Talbot."
      ["Author"]=3D>
      string(80) "<a href=3D"http://jamietalbot.com/" title=3D"Visit auth=
or homepage">Jamie Talbot</a>"
      ["Version"]=3D>
      string(3) "0.9"
    }
    ["gravatars2.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(10) "Gravatars2"
      ["Title"]=3D>
      string(84) "<a href=3D"http://zenpax.com/gravatars2/" title=3D"Visi=
t plugin homepage">Gravatars2</a>"
      ["Description"]=3D>
      string(326) "Implements Gravatars (global avatars: gravatar.com) wi=
th enhanced caching support, cron support, &#038; administrative interfac=
e to control default options.  Registered users can use local Gravatars (=
also cached). Copyright 2006 Kip Bond; Licensed under the terms of the <a=
 href=3D"http://www.gnu.org/licenses/gpl.html">GPL</a>."
      ["Author"]=3D>
      string(82) "<a href=3D"http://zenpax.com/gravatars2/" title=3D"Visi=
t author homepage">Kip Bond</a>"
      ["Version"]=3D>
      string(5) "2.6.1"
    }
    ["gravatars2-wpcron.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(18) "Gravatars2 WP-Cron"
      ["Title"]=3D>
      string(92) "<a href=3D"http://zenpax.com/gravatars2/" title=3D"Visi=
t plugin homepage">Gravatars2 WP-Cron</a>"
      ["Description"]=3D>
      string(194) "Refreshes the cached gravatar images using a pseudo-cr=
on implementation &#8212; Requires WP-Cron (http://skippy.net/blog/2005/1=
0/09/wp-cron-14/) &#038; Gravatars2 (http://zenpax.com/gravatars2/)"
      ["Author"]=3D>
      string(82) "<a href=3D"http://zenpax.com/gravatars2/" title=3D"Visi=
t author homepage">Kip Bond</a>"
      ["Version"]=3D>
      string(3) "1.1"
    }
    ["hello.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(11) "Hello Dolly"
      ["Title"]=3D>
      string(78) "<a href=3D"http://wordpress.org/#" title=3D"Visit plugi=
n homepage">Hello Dolly</a>"
      ["Description"]=3D>
      string(295) "This is not just a plugin, it symbolizes the hope and =
enthusiasm of an entire generation summed up in two words sung most famou=
sly by Louis Armstrong: Hello, Dolly. When activated you will randomly se=
e a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin=
 screen on every page."
      ["Author"]=3D>
      string(80) "<a href=3D"http://photomatt.net/" title=3D"Visit author=
 homepage">Matt Mullenweg</a>"
      ["Version"]=3D>
      string(3) "1.5"
    }
    ["locktest.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(9) "Lock test"
      ["Title"]=3D>
      string(96) "<a href=3D"http://xn--strbe-mva.de/post-notification/" =
title=3D"Visit plugin homepage">Lock test</a>"
      ["Description"]=3D>
      string(14) "Tests locking."
      ["Author"]=3D>
      string(86) "<a href=3D"http://xn--strbe-mva.de" title=3D"Visit auth=
or homepage">Moritz Str&uuml;be</a>"
      ["Version"]=3D>
      string(3) "1.0"
    }
    ["a_o42-clean-umlauts.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(17) "o42-clean-umlauts"
      ["Title"]=3D>
      string(116) "<a href=3D"http://otaku42.de/2005/06/30/plugin-o42-cle=
an-umlauts/" title=3D"Visit plugin homepage">o42-clean-umlauts</a>"
      ["Description"]=3D>
      string(366) "Das Plugin konvertiert die deutschen Umlaute in den Be=
itragstiteln, Kommentaren und Feeds zu ASCII. - Aus &auml;,&uuml;,&ouml;,=
&szlig; wird ein ae, ue, oe und ss. auf der L&ouml;sung von <a href=3D"ht=
tp://www.papascott.de">Scott Hanson</a>. Das Plugin wirkt sich nur aus, w=
enn bei der Permalinstruktur &#8220;<em>Basierend auf Datum und Name</em>=
&#8221; aktiviert ist."
      ["Author"]=3D>
      string(79) "<a href=3D"http://otaku42.de/" title=3D"Visit author ho=
mepage">Michael Renzmann</a>"
      ["Version"]=3D>
      string(5) "0.2.0"
    }
    ["wp-pagesnav/wp-pagesnav.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(7) "PageNav"
      ["Title"]=3D>
      string(88) "<a href=3D"http://www.adsworth.info/wp-pagesnav" title=3D=
"Visit plugin homepage">PageNav</a>"
      ["Description"]=3D>
      string(18) "Header Navigation."
      ["Author"]=3D>
      string(80) "<a href=3D"http://www.adsworth.info/" title=3D"Visit au=
thor homepage">Adi Sieker</a>"
      ["Version"]=3D>
      string(5) "0.0.1"
    }
    ["post_notification/post_notification.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(17) "Post Notification"
      ["Title"]=3D>
      string(104) "<a href=3D"http://xn--strbe-mva.de/post-notification/"=
 title=3D"Visit plugin homepage">Post Notification</a>"
      ["Description"]=3D>
      string(74) "Sends an email to all subscribers. See readme or instru=
ctions for details."
      ["Author"]=3D>
      string(86) "<a href=3D"http://xn--strbe-mva.de" title=3D"Visit auth=
or homepage">Moritz Str&uuml;be</a>"
      ["Version"]=3D>
      string(8) "1.2.rc 5"
    }
    ["PN_mailfix.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(25) "Post Notification Mailfix"
      ["Title"]=3D>
      string(112) "<a href=3D"http://xn--strbe-mva.de/post-notification/"=
 title=3D"Visit plugin homepage">Post Notification Mailfix</a>"
      ["Description"]=3D>
      string(54) "Fixes problems sending HTML-mails - Only for WP 2.2.x!"=

      ["Author"]=3D>
      string(86) "<a href=3D"http://xn--strbe-mva.de" title=3D"Visit auth=
or homepage">Moritz Str&uuml;be</a>"
      ["Version"]=3D>
      string(5) "1.2.1"
    }
    ["timezone.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(9) "Time Zone"
      ["Title"]=3D>
      string(92) "<a href=3D"http://kimmo.suominen.com/sw/timezone/" titl=
e=3D"Visit plugin homepage">Time Zone</a>"
      ["Description"]=3D>
      string(136) "Automatische Umstellung von Sommerzeit auf Winterzeit.=
 Einstellungen k&ouml;nnen unter: Optionen &raquo; Time Zone ge&auml;nder=
t werden."
      ["Author"]=3D>
      string(85) "<a href=3D"http://kimmo.suominen.com/" title=3D"Visit a=
uthor homepage">Kimmo Suominen</a>"
      ["Version"]=3D>
      string(3) "2.1"
    }
    ["update-monitor.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(14) "Update-Monitor"
      ["Title"]=3D>
      string(78) "<a href=3D"http://blogshop.de/" title=3D"Visit plugin h=
omepage">Update-Monitor</a>"
      ["Description"]=3D>
      string(133) "Stay informed about new WordPress releases. <em>Powere=
d by <a href=3D"http://wordpress-deutschland.org">WordPress Deutschland</=
a></em>."
      ["Author"]=3D>
      string(79) "<a href=3D"http://blogshop.de/" title=3D"Visit author h=
omepage">Olaf A. Schmitz</a>"
      ["Version"]=3D>
      string(3) "1.3"
    }
    ["wp-db-backup.php"]=3D>
    array(5) {
      ["Name"]=3D>
      string(25) "WordPress Database Backup"
      ["Title"]=3D>
      string(105) "<a href=3D"http://www.skippy.net/blog/plugins/" title=3D=
"Visit plugin homepage">WordPress Database Backup</a>"
      ["Description"]=3D>
      string(44) "On-demand backup of your WordPress database."
      ["Author"]=3D>
      string(80) "<a href=3D"http://www.skippy.net/" title=3D"Visit autho=
r homepage">Scott Merrill</a>"
      ["Version"]=3D>
      string(3) "1.8"
    }
  }
  ["active"]=3D>
  array(3) {
    [0]=3D>
    string(12) "locktest.php"
    [1]=3D>
    string(39) "post_notification/post_notification.php"
    [2]=3D>
    string(27) "wp-pagesnav/wp-pagesnav.php"
  }
}



--=20

str=C3=BCbe.de <http://xn--strbe-mva.de>

Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen
unterst=C3=BCtzen wird eine smime.p7s-Datei im Anhang angezeigt.

Meinen PGP/GPG-Key gibt es auf den =C3=BCblichen Keyservern.

_______________________________________________
wp-hackers mailing list
wp-hack...@lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
Account Options
