[wp-hackers] XMLRPC rework

Alexander Concha alex at buayacorp.com
Thu Aug 30 16:28:47 GMT 2007


Hello Folks.

I think WP's XMLRPC server needs more attention because it has some
buggy methods and by default allows to gather useful information to
unprivileged users.

The following methods doesn't seem to work and because of security
implications, I suggest remove them -- although I'm not sure if they
were added for compatibility reasons.

- blogger_getTemplate
- blogger_setTemplate

OTOH, unprivileged users (aka anyone with a subscriber role) can
retrieve data which could be used for unknown purposes. Examples:

- mw_getRecentPosts will return posts including private fields like
post_password.
- wp_getAuthors will return the list of users with private data (email
and role).

Any comments?

Regards.

PS. Sorry for my bad English.
-- 
Alexander Concha
http://www.buayacorp.com/

No se puede cambiar el curso de la historia a base de cambiar los
retratos colgados en la pared
		-- Jawaharlal Nehru.


More information about the wp-hackers mailing list