[wp-hackers] Plugin update & security / privacy

Ryan Finnie ryan at finnie.org
Tue Sep 25 18:33:47 GMT 2007


On Sun Sep 23 11:12:56 2007, Alex Günsche <ag.ml2007 at zirona.com> wrote:
> By the way, I was rather shocked when I saw what big bunch of data
> Akismet transmits on connecting to its server. Why the heck does Akismet
> transmit *all* my $_SERVER environment variables? That's a big reason to
> mistrust Akismet, unless there are *very* good reasons for that. And I
> doubt there are any.

Irregardless of WordPress calling home with URL and plugin info (my 2
cents: not too bad, but it should be a core option), people seem to be
glossing over this.  What is Akismet sending during each spam check?

$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']
$_SERVER['HTTP_AUTHORIZATION']

If you have a basic HTTP AUTH (.htaccess, etc) set up on top of
WordPress (or I believe WordPress itself has an option for using HTTP
AUTH instead of cookie sessions), you are sending usernames and
passwords.

I'm not accusing Automattic of doing this intentionally, but this is a
MAJOR security problem.

RF


More information about the wp-hackers mailing list