[wp-hackers] Plugin update & security / privacy
Moritz 'Morty' Strübe
morty at gmx.net
Sun Sep 23 11:33:08 GMT 2007
> Your logic is flawed. You assume that someone looking to exploit won't
> attack the latest version. This is usually untrue.
And as the version gets transmitted you also get a nice list of outdated
> If a serious exploit is
> found, hackers usually just Google for "WordPress"
Didn't I already say I thought of that?
> (it's already on your
> site for "powered by WordPress") or like wp-login.php and then attempt to
> exploit it, regardless of version. If some database somewhere somehow did
> get leaked, then all it'd do is just make the hackers job easier -- it
> wouldn't enable them.
That's why I'm referring to plugins. Opposed to Wordpress plugins have
fewer installations and often maintained by a single person. Fewer
installations makes them less interesting for attacks, because it is not
always easy to find them. But if you have a nice list, including the
version in use.... The problem with the single person is, that this
person is maintaining the plugin in his spare time. Opposed to Wordpress
it self where a lot of people, making money, are interested in Wordpress
> And by checking for an update, your server's IP address is sent
> automatically. It wouldn't be hard to reverse lookup that IP.
First of all you don't need a reverse lookup as you can just enter the
IP. Second if you do a reverse lookup you often only get something linke
serverxy.hoster.tld, because most people don't want to spend so much
money for a v-server or even a real server. Therefore the IP doesn't
help you that much. Of couse you can check all the Domains on that Host,
but you would also have to check for subdomains and or subdirectories.
Of course there are people where you can start an attack using the IP or
with the domain you get with a reverse lookup, but those are not the
installations I'm worried about. BTW: Being able to access a server by
IP number or the reverse DNS-entry is a security flaw in my eyes, but
that is another matter.
Or in short: The IP helps you, but not much.
> Simply put, if you really insist on wearing a tin foil hat, it's uber easy
> to disable the automatic update checker.
I do not want to do that! And I never suggested that! (I hope you know
what a md5 is....)
> For the other 99.99999% of people
> out there, this feature will be a godsend to them in both terms of new
> features and more importantly, the _only_ real way to make sure your site
> doesn't get hacked -- by running the latest version.
But still that is no reason to tell everybody which version I'm running.
And sorry I'm not able to update my Software 24/7. This is no f*ck'n
pro/contra update checking discussion. It is a: Do you really need to
collect all this information? And do you know that collecting it is a
reasonable threat? Because if there is a security update and someone
does get that list he can run an attack on those hosts who haven't
> On 9/23/07, Moritz 'Morty' Strübe <morty at gmx.net> wrote:
>> I know this will not change until Monday, but is it really necessary to
>> transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
>> find WP-Blogs via google. But imagine have them all nicely in a database
>> - All of them. Including version, plugins and so on. If that database
>> gets public and you find a security bug in one of the plugins - there
>> are enough - you can start a _very_ effective attack!
>> -> update.php:85 $http_request .= 'User-Agent: WordPress/' .
>> $wp_version . '; ' . get_bloginfo('url') . "\r\n";
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
Diese Email ist signiert. Sollte Dein Email-Client keine Signaturen
unterstützen wird eine smime.p7s-Datei im Anhang angezeigt.
Meinen PGP/GPG-Key gibt es auf den üblichen Keyservern.
More information about the wp-hackers