[wp-hackers] xmlrpc issue or no?

Jared Bangs jared at pacific22.com
Sun Feb 3 01:39:50 GMT 2008


On Feb 2, 2008 4:25 PM, Lloyd Budd <lloydomattic at gmail.com> wrote:

> On Feb 2, 2008 1:16 PM, Jared Bangs <jared at pacific22.com> wrote:
> >
> > It seems to me that if there's anywhere that "we" (WP dev/hacker
> community)
> > dropped the ball, it's the period of time between 12/12/2007 (when trac
> > ticket #5313 was closed) and 2/2/2008 (when it was reopened after an
> exploit
> > had been published).
>
> Jared, instead of speaking generally, could you share what evidence
> was overlooked?
>
> Thank you,
> Lloyd


I wasn't saying we overlooked any evidence, just that we didn't follow up on
it as well as we could have.

The evidence was basically just the reports of people's posts being
compromised in this manner. Since they were pretty serious, I think we could
have done more to either confirm or deny that there was a vulnerability that
caused this to be possible. I didn't say anyone overlooked this; I was only
suggesting that perhaps the issue shouldn't have been dropped as soon as it
was when a cause could not originally be identified.

BTW, I'm intentionally using language like "we", etc. because I'm not
intending to bash anyone or start flame wars. My simple point was that if
more of "us" in the WP dev community looked more closely at this issue I
believe that the root cause would have been discovered. Of course, that's
easy to say in hindsight, but since there are a limited number of places in
the code where a post can be modified like this (outside of SQL injection,
etc.) we theoretically could have found this one if we had enough people
seriously looking for it, IMHO.

Also, I think I was clear in lumping myself into the group of people who
didn't put enough effort into working on this problem. I have no good
excuses (other than the standard "not enough time"), but like I said,
perhaps we can just learn from this and do better next time. Perhaps more of
us can dedicate our time to this type of stuff instead of more "user facing"
/ recognizable stuff like adding more features.


More information about the wp-hackers mailing list