[wp-trac] Re: [WordPress Trac] #5116: WordPress (plugin) updates
can trigger innapropriatly for non-hosted plugins
WordPress Trac
wp-trac at lists.automattic.com
Sun Sep 30 21:10:50 GMT 2007
#5116: WordPress (plugin) updates can trigger innapropriatly for non-hosted
plugins
----------------------------+-----------------------------------------------
Reporter: Quandary | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.3.1
Component: Administration | Version: 2.3
Severity: normal | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Changes (by zamoose):
* component: General => Administration
Comment:
I could see a situation where this could lead to malicious exploits. If a
malefactor registered a name of a popular-but-unhosted plugin (read: Bad
Behavior, Spam Karma, UTW, etc.) and then posted code that created bogus
admin users and then emailed the now-compromised blog's location back to
the bad actor, you could have quite a few blogs compromised short-order.
This means that the wp-plugins.org admin crew needs to be particularly
careful in approving projects, a situation that could lead to them being
even more overworked and more of a bottleneck than currently.
Clearly, I think there needs to be some additional hashing step that in
some way verifies that two plugins, identically named, are not in fact the
same plugin, preventing such impostors from gaining even short-term
advantages.
--
Ticket URL: <http://trac.wordpress.org/ticket/5116#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list