[wp-hackers] Plugin update & security / privacy
Moritz 'Morty' Strübe
morty at gmx.net
Sun Sep 23 09:35:41 GMT 2007
I know this will not change until Monday, but is it really necessary to
transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
find WP-Blogs via google. But imagine have them all nicely in a database
- All of them. Including version, plugins and so on. If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!
-> update.php:85 $http_request .= 'User-Agent: WordPress/' .
$wp_version . '; ' . get_bloginfo('url') . "\r\n";
Cheers
Morty
More information about the wp-hackers
mailing list