Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WordPress Community Vulnerable

From: Kradorex Xeron <admin () digibase ca>
Date: Thu, 24 May 2007 13:57:12 -0400
On Thursday 24 May 2007 12:57, Paul Schmehl wrote:

--On Thursday, May 24, 2007 09:44:02 -0500 Steven Adair

<steven () securityzone org> wrote:

So do you think his two WordPress blogs (I am assuming here..looks a lot
like WP, but I'm not pounding out GET requests to verify) were included
in this "survey" that was done?  I wonder if he's running a safe version?
And as mentioned in one of his blog comments, version reporting isn't
always reliable and patches that did not change the extractable version
number could have also been applied.

In any event, I think WordPress has increasingly become more secure. 
It's had a small rash of issues a few months back ranging from SQL
injection to someone actually backdooring the source, but it's grown up
quite a bit.  I think someone would be hard pressed to actually come up
with the Month of Wordpress bugs.  The majority of all other recently
reported issues have all from third party add-ons that aren't actually a
part of WordPress.


Yes, but the point of his post isn't that *Wordpress* is insecure.  It's
that blog owners are not updating their software to maintain security.
While anyone in IT would go "doh!", many in the "real" world might be
surprised that the software has to be regularly updated and vigorously
maintained to ensure ongoing security.


Probably because alot of  the said blog owners that neglect upgrading are like 
any regular computer user, they just want something to work, and if it works, 
they assume it's okay, therefore, they ignore security upgrades since it 
would require additional work for something that is not visable to them, as 
they go by the premise, "if it has no new features, Why upgrade?"

We all know (at least I hope) that security upgrades are something worthwhile 
because we can see the difference (we can test the exploit on the new version 
to see if it's patched or nott), whereas a regular user would not.



This isn't exactly news for us, but it may well be for the blogosphere in
general.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: