[wp-hackers] Plugin update & security / privacy

Moritz 'Morty' Strübe morty at gmx.net
Sun Sep 23 09:35:41 GMT 2007


I know this will not change until Monday, but is it really necessary to
transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
find WP-Blogs via google. But imagine have them all nicely in a database
- All of them. Including version, plugins and so on. If that database
gets public and you find a security bug in one of the plugins - there
are enough - you can start a _very_ effective attack!

-> update.php:85     $http_request .= 'User-Agent: WordPress/' .
$wp_version . '; ' . get_bloginfo('url') . "\r\n";

Cheers
Morty



More information about the wp-hackers mailing list