[wp-hackers] SQL Injection again

Frederic de Villamil fdevillamil at gmail.com
Wed Jun 22 14:14:42 GMT 2005


On Wed, 22 Jun 2005 09:06:42 -0500, Jason Bainbridge wrote
> On 6/22/05, Frederic de Villamil <fdevillamil at gmail.com> wrote:
> > > Semi-related to this, I know the dashboard by default already
> > > includes the last handful of posts from the WP Development blog that
> > > lists any updates but a lot of the time I just breeze past that page
> > > so I don't realize there are any updates. Now of course you could
> > > say the due diligence should be on me to read it, but wouldn't it be
> > > a good idea to make security alerts stand out so people see it and
> > > understand that it is important they upgrade straight away?
> > 
> > I think there is already a mailing list for release announcement. If 
people
> > are concerned with security, they will subscribe at download I think. And
> > telling them there is a security flaw won't make 90% of them upgrade. 
Thay'll
> > just think "this won't happen to me, my blog is not known enough".
> 
> I was thinking more for your every day user than those of us that are
> tech savvy enough to follow a release announcement mailing list. Most
> users are likely to often see the dashboard so when a security alert
> is right there in big, bold text with a thick red border and a very
> stern recommendation that they should upgrade ASAP or risk being
> hacked then I think people would be a lot more likely to upgrade.
> 
> Although you are right in that people will still ignore it if they
> read it but if we can at least make sure they read it then that is 
> one more step we can take.
> 
> regards,

All the question is "do people ever look at the dashboard?"
Why not include a simple security alert rss feed on wordpress.org which would 
be load when wp-admin is reached and make an alert message with a link 
pointing to the download page to be displayed on every admin when the version 
used is <= to the version with a fix?
That way we can expect the users to see they MUST upgrade.
Just think about an option to deactivate such an alert.

The fact is I have a lot of Wordpress users on my server (every user has at 
least one Wordpress install, and I recently had a look at their account. Some 
of them were still using 1.2 in spite of a few mails I had sent asking  for 
upgrade each time a new release was made.
So even with a big red alert, I still have some doubts.
--
Frédéric de Villamil
Ce qui est à moi est à moi, ce qui est à toi ça se négocie. (proverbe 
motokiste)
http://www.eretzvaju.org



More information about the wp-hackers mailing list