[wp-hackers] WordPress Plugin GUID
Stephen Rider
wp-hackers at striderweb.com
Fri Jun 5 15:16:16 GMT 2009
On Jun 5, 2009, at 9:56 AM, Jennifer Hodgdon wrote:
>>> Currently, if a plugin author chooses to self-host his plugin and
>>> not
>>> list it in the directory, a malicious individual could e-mail Matt
>>> and
>>> ask for an entry in the plugin directory with the same slug. Then,
>>> the
>>> malicious individual could release an 'update' to the plugin that
>>> could
>>> 0wn the blog.
>
> Couldn't they also put the same GUID in there as the original
> plugin? If you wanted to avoid hijacking of plugins hosted
> elsewhere, you'd also need to enforce the idea that the GUID for
> plugins on wp.org would be their wp.org full URL. In which case,
> putting it in automatically somehow seems like the only/best idea.
No, that's the opposite.
He describes a cracker putting a malware plugin in WP-Extend that
update/overwrites your self-hosted plugin.
You describe creating a self hosted plugin that would be update/
overwritten by someone else's WP-Extend plugin. Which isn't very
useful to a cracker....
Stephen
--
Stephen Rider
http://striderweb.com/
More information about the wp-hackers
mailing list