[wp-hackers] Plugin update & security / privacy
Mark Jaquith
mark.wordpress at txfx.net
Sun Sep 23 17:48:34 GMT 2007
On Sep 23, 2007, at 5:35 AM, Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really
> necessary to
> transmit the URL? Wouldn't the md5 of the URL do? I know it's easy to
> find WP-Blogs via google. But imagine have them all nicely in a
> database
> - All of them. Including version, plugins and so on. If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!
>
> -> update.php:85 $http_request .= 'User-Agent: WordPress/' .
> $wp_version . '; ' . get_bloginfo('url') . "\r\n";
I don't know, but I'm trying to find out. It seems unnecessary to
me. And it definitely works without it (or with a different --
anonymous -- string). Matt wrote that code, so I'll try to get a
hold of him today.
--
Mark Jaquith
http://markjaquith.com/
Covered Web Services
http://coveredwebservices.com/
WordPress Ninja @ b5media Inc
http://b5media.com/
More information about the wp-hackers
mailing list