Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] WordPress Community Vulnerable

from [Steven Adair] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] WordPress Community Vulnerable
Date: Thu, 24 May 2007 12:27:41 -0500 (EST) 
--On Thursday, May 24, 2007 09:44:02 -0500 Steven Adair
<steven@securityzone.org> wrote:


So do you think his two WordPress blogs (I am assuming here..looks a lot
like WP, but I'm not pounding out GET requests to verify) were included
in
this "survey" that was done?  I wonder if he's running a safe version?
And as mentioned in one of his blog comments, version reporting isn't
always reliable and patches that did not change the extractable version
number could have also been applied.

In any event, I think WordPress has increasingly become more secure.
It's
had a small rash of issues a few months back ranging from SQL injection
to
someone actually backdooring the source, but it's grown up quite a bit.
I
think someone would be hard pressed to actually come up with the Month
of
Wordpress bugs.  The majority of all other recently reported issues have
all from third party add-ons that aren't actually a part of WordPress.


Yes, but the point of his post isn't that *Wordpress* is insecure.  It's
that blog owners are not updating their software to maintain security.
While anyone in IT would go "doh!", many in the "real" world might be
surprised that the software has to be regularly updated and vigorously
maintained to ensure ongoing security.

This isn't exactly news for us, but it may well be for the blogosphere in
general.



Perhaps, but there is an assumption that may be incorrect that these blogs
are insecure.  Also, there is no mention of how the survey was done.  I
could probably go out and make a list of 2000 blogs where only one of them
wasn't the latest version.  I do understand his point though, and I
guarantee you can find well over 50 older version WP blogs that are
vulnerable.  However, part of my response was geared towards Larry's post
about the possibility MoWPB (Month of WordPress Bugs) -- which is
something I just don't see happening.

Steven


--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] WordPress Community Vulnerable, Paul Schmehl
Next by Date:  Re: [Full-disclosure] WordPress Community Vulnerable, Kradorex Xeron
Previous by Thread:  Re: [Full-disclosure] WordPress Community Vulnerable, Paul Schmehl
Next by Thread:  Re: [Full-disclosure] WordPress Community Vulnerable, Kradorex Xeron
Indexes:  [Date] [Thread] [Top] [All Lists]