[wp-hackers] Security at Wordpress
Ryan Duff
ryan at ryanduff.net
Fri Apr 21 22:39:25 GMT 2006
Elliotte Harold wrote:
> Brian Layman wrote:
>
>> The nonce solution that Owen proposed will adequately protect WP from my
>> approach. Therefore I don't have to give a "how-to tutorial" of an
>> exploit
>> that could be adapted to attack any non-compiled, non-nonced,
>> non-customized
>> web application out there.
>>
>
> If it's really that bad, I'd suggest you publish it because no one
> person is going to be able to fix all the web apps out there.
>
> However, I suspect what you've discovered is the well-known problem
> where GET is used for operations with side effects, a common flaw in web
> apps designed by people who don't understand HTTP. While not as widely
> known as it should be (which is why further publicity would be a good
> thing) it's hardly a new attack. It's certainly known to
> web-app-attackers everywhere. Being quiet about it only helps the black
> hats who already know.
>
Nobody here is trying to fix all the web apps. Just one. Seriously, are
you done hyping whatever was found?
--
Ryan Duff
http://ryanduff.net
AIM: ryancduff
irc.freenode.net #wordpress #plogger
More information about the wp-hackers
mailing list