[wp-trac] Re: [WordPress Trac] #5116: WordPress (plugin) updates can trigger innapropriatly for non-hosted plugins

WordPress Trac wp-trac at lists.automattic.com
Sun Sep 30 21:10:50 GMT 2007


#5116: WordPress (plugin) updates can trigger innapropriatly for non-hosted
plugins
----------------------------+-----------------------------------------------
 Reporter:  Quandary        |        Owner:  anonymous
     Type:  defect          |       Status:  new      
 Priority:  normal          |    Milestone:  2.3.1    
Component:  Administration  |      Version:  2.3      
 Severity:  normal          |   Resolution:           
 Keywords:                  |  
----------------------------+-----------------------------------------------
Changes (by zamoose):

  * component:  General => Administration

Comment:

 I could see a situation where this could lead to malicious exploits.  If a
 malefactor registered a name of a popular-but-unhosted plugin (read: Bad
 Behavior, Spam Karma, UTW, etc.) and then posted code that created bogus
 admin users and then emailed the now-compromised blog's location back to
 the bad actor, you could have quite a few blogs compromised short-order.

 This means that the wp-plugins.org admin crew needs to be particularly
 careful in approving projects, a situation that could lead to them being
 even more overworked and more of a bottleneck than currently.

 Clearly, I think there needs to be some additional hashing step that in
 some way verifies that two plugins, identically named, are not in fact the
 same plugin, preventing such impostors from gaining even short-term
 advantages.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5116#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list