[wp-trac] [WordPress Trac] #23394: Remove version from readme.html / Upgrade core doesn't restore the file
WordPress Trac
noreply at wordpress.org
Tue Apr 12 09:51:01 UTC 2016
#23394: Remove version from readme.html / Upgrade core doesn't restore the file
---------------------------+----------------------
Reporter: momo360modena | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: wontfix
Keywords: | Focuses:
---------------------------+----------------------
Comment (by RedSand):
@rmcue
It would probably be more accurate to call it a "research paper" than a
"comment". :)
All kidding aside, I'm a pretty smart guy...I realize that long comments
aren't likely to be read.
'''TL;DR'''
'''I just pointed out that more than 20% of WordPress installations (over
50 million websites) have major security issues, and you're more concerned
that my comment was too long.'''
I really am concerned when expedience is of a higher importance to the
WordPress core team than website security.
For the last decade, when users have brought up similar security issues,
the common response from the WordPress core team has been some variation
of "that's not a real security issue" and patently shut them down without
further consideration. I've searched through the tickets going years back
and read ticket after ticket like this. Yet, when someone has valid points
as to why they are wrong, and these are legit security issues, no one on
the core team seems to want to hear that.
'''The Long Version'''
'''I know you mean well when you tell me that my previous response is
likely to go unread, but do you realize exactly how exasperating that is
when you put in context?''' Let me break it down:
1. Previous users report the security issue.
2. WordPress core team responds, saying "That's not a real security
issue," and closes the thread.
3. 3 years go by.
4. During that time, WordPress sites get hacked many, many times, and
security flaws are starting to be discovered in WordPress at a rapid pace,
getting to the point where every version has some vulnerability discovered
within a month or two of release.
5. I reopen the thread, saying, "Hey guys, __it's a real, honest-to-
goodness security issue__, WordPress has been hacked a bunch of
times...take it serious now, yeah?"
6. WordPress core team member ( @chriscct7 ) gives the familiar response,
"That's not a real security issue," and again closes the thread.
7. I respond, showing why it __actually is a real security issue.__ Since
the previous responder from the core team does not understand the security
implications of the particular issue, it required education and a long
response.
8. A different WordPress core team member ( @rmccue ) responds saying,
"TL;DR, bro. Yeah, we're not gonna read that. We're too busy and stuff."
9. Not reading it allows WordPress core team members to stay in the dark
and keep telling people that "it's not a real security issue."
10. Sites will continue to get hacked.
11. The core team will be surprised. "Whoa! How'd that happen? WordPress
doesn't have any security issues!"
12. Vulnerabilities will only get fixed when reaching critical status and
proof of concepts are passed around the web.
13. More users will raise the red flag and point out that security best
practices are being (willfully?) ignored, and they will keep getting told,
"That's not a real security issue."
14. And the cycle will continue. "All of this has happened before, and all
of this will happen gain."
'''Does anyone see the problem with that?'''
* It's ok for the core team to tell users they are wrong. (Even when they
are not.)
* However, if we take the time and effort to show that in fact you guys do
have a thing or two to learn, we get the response that we should write
shorter responses, and that you all are too busy for that.
* '''So...my time is less valuable than yours? SMH.'''
Don't you think proper website security is worth a few minutes of time
when the code you write impacts over 25% of the internet, and when the
potential impact of hacked websites can destroy people's lives and
businesses.
'''The previous response from WordPress core team members demonstrated a
severe lack of understanding of security issues and required a fairly long
response.'''
You guys have not been good at anticipating potential hacks because you
all have been failing to see where seemingly small or peripheral issues
fit into the big picture of security as a whole. '''Security isn't binary,
it's not on or off, it's not black or white. Security exists in shades of
gray, it's in percentages, it's about leveraging small cracks in the
armor, and hackers understand this.'''
Many of us who are pointing out these issues can anticipate potential
hacks because WordPress is blatantly ignoring certain security best-
practices. Yet yet you guys still have the hubris to keep shutting us down
and telling us "that's not a real security issue". (I really don't enjoy
having to say that because I truly do love WordPress, the WordPress
community, and I consider every fellow WordPress developer a friend.)
My comments are worth taking the time to read as they will open some eyes
a bit. I was careful to make sure that everything I wrote is backed up by
data, and quotes respected resources. Every single point I made can be
verified independently. Top security researchers, experts, the NSA, etc
will echo what I said.
I took ''several hours'' of my life to write it...people can take a ''few
minutes'' out of their life to read what I wrote.
'''I didn't spend all time to write it for fun, or for my health...I took
the time to write it because it's a serious issue, and it needed to be
said. Trust me...that was the succinct version.'''
I've been doing this a long time, and have extensive experience when it
comes to security. You would do well to consider my points.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/23394#comment:17>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list