[wp-hackers] xmlrpc issue or no?

Lloyd Budd lloydomattic at gmail.com
Sun Feb 3 17:15:33 GMT 2008


Jared, I disagree that there is evidence that anyone "dropped the
ball", and assuming that was the case, I don't see solutions being
presented.

"rawalex" did provide some great clues, and I hope that he sent that
information and all the details he had to security at wordpress.org.

If we look at the log of xmlrpc.php, we will see a number of security
improvements around the time:
http://trac.wordpress.org/log/trunk/xmlrpc.php . Clearly an exploit
wasn't identified, or there would have been a release, but
opportunities to harden the code were found.

http://trac.mu.wordpress.org/ticket/528 is an awesome example of
participating Jared! And I know first hand how hard it is to find the
time, and how frustrating it is when the same priority I give to an
issue isn't shared by others. The original ticket by "drmike" isn't a
good one. No ones mother knows "how easy it is to lift a password hash
in wordpress", because the first requirement is getting access to or a
copy of the database, which if happens your mother is already really
upset with you. It is still a very important issue, and the
collaboration that has taken place around resolving the issue is
brilliant!

I long ago learned that if you don't have the time to champion an
issue, there is no point in reporting it, and even less in providing a
patch. The exception is the bug whose stink has be smelt in the next
room. You seem to be suggesting that donncha disagreed with the
importance of this issue, but I don't think he wrote that or thinks
that. He wrote "it's such an invasive change to the users table it's
better to wait until it's 100% reliable." Donncha's belief that the
fix needed more venting is sound, and a number of fixes to it have
been made since then.

Maybe becomes I'm sensitive to it after being the QA owner for
security issues on Netscape 8 and then Flock, but the perception that
WordPress has a poor security record is an issue close to my heart. I
say "perception" as I don't have the expertise in PHP or web apps of
this nature to know how founded it is, but it still hurts and I hope
people with the expertise and passion will shape the path to changing
that perception (it is safe to assume that the core participants write
more secure code today than yesterday, as they have been to the school
of hard knocks, and take the security issues personally).

You can lead the horses to water, but if they aren't as thirsty as you
they won't drink. Or, actions inspire more than words, and mostly I
just got words,
Lloyd


More information about the wp-hackers mailing list