[wp-hackers] Wordpress Cookie Authentication Vulnerability
Abel Cheung
abelcheung at gmail.com
Fri Nov 23 09:53:15 GMT 2007
On Nov 23, 2007 5:12 PM, Computer Guru <computerguru at neosmart.net> wrote:
> Oh, I'm not _denying_ that it's not a bad thing - I was laughing at how this
> has been termed a "vulnerability" rather than "WordPress makes it a bit more
> difficult to clean up after a hack attack"
I see it in vastly different way.
Initial condition: one gets read-only access to WP database.
Net result: one gets READ-WRITE access to WP database.
>
> Vulnerability: Something that lets you get into or modify the system.
> Compare it to this: once root access to your system has been compromised, is
> it a *vulnerability* that the cracker can install FTP or SSH?
I would compare it this way instead: after one gets non-root access to
your system, one can SYSTEMATICALLY elevate to root privileges and
install whatever they like.
Though what I'm angry with is more than just this. Now I see what
security at wordpress.org is. Aliased to Matt, is it? That's the only
logical conclusion I can come up with.
Abel
>
> It's just unwanted behavior, not a vulnerability.
>
>
>
> On 11/23/07, Abel Cheung <abelcheung at gmail.com> wrote:
> >
> > On Nov 20, 2007 3:11 PM, Computer Guru <computerguru at neosmart.net> wrote:
> > > You've got to be kidding me!
> > >
> > > I read the first five words then burst out laughing:
> > > "With read-only access to the Wordpress database"...
> > >
> > > Once you've got read-only access to a database, how much more vulnerable
> > do
> > > you want?
> >
> > Since it is already vulnerable if somebody get read-only access, why
> > not only store plain text password inside database? Vulnerable anyway.
> > (According to your logic).
> >
> > Abel
> >
> > >
> > >
> > >
> > >
> > > On 11/20/07, Santanu Misra <santanu.misra at gmail.com> wrote:
> > > >
> > > > Not sure if this is discussed already.
> > > >
> > > > http://lwn.net/Articles/259204/
> > > >
> > > >
> > > > -- Thanks
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > >
> > >
> > >
> > > --
> > > Computer Guru
> > > Director,
> > > NeoSmart Technologies
> > > http://neosmart.net/blog/
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> >
> >
> >
> > --
> > Abel Cheung (GPG Key: 0xC67186FF)
> > Key fingerprint: 671C C7AE EFB5 110C D6D1 41EE 4152 E1F1 C671 86FF
> > --------------------------------------------------------------------
> > * My own cave: http://me.abelcheung.org/
> > * Opensource Application Knowledge Assoc. - http://oaka.org/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> Computer Guru
> Director,
> NeoSmart Technologies
> http://neosmart.net/blog/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
Abel Cheung (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1 41EE 4152 E1F1 C671 86FF
--------------------------------------------------------------------
* My own cave: http://me.abelcheung.org/
* Opensource Application Knowledge Assoc. - http://oaka.org/
More information about the wp-hackers
mailing list