Comments on: WordPress Security Predictions in 2009 http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009 Always something worth reading... Fri, 12 Mar 2010 11:09:45 +0000 http://wordpress.org/?v= hourly 1 By: Abel Cheung http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15113 Abel Cheung Sun, 18 Jan 2009 00:22:56 +0000 http://blogsecurity.net/?p=306#comment-15113 Let's make sure many peoples' heads are run over by cars before deciding whether to build traffic lights or not. Let’s make sure many peoples’ heads are run over by cars before deciding whether to build traffic lights or not.

]]> By: Matt http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15112 Matt Sat, 17 Jan 2009 23:31:29 +0000 http://blogsecurity.net/?p=306#comment-15112 DNS-reliance is a known factor in password resets, core upgrade, plugin installation, plugin browsing, pingbacks, update notification, pingomatic, and RSS/dashboard feeds. If you have any examples of distributed PHP web applications that deal with DNS in an elegant, secure way I would love to learn more about them. DNS-reliance is a known factor in password resets, core upgrade, plugin installation, plugin browsing, pingbacks, update notification, pingomatic, and RSS/dashboard feeds.

If you have any examples of distributed PHP web applications that deal with DNS in an elegant, secure way I would love to learn more about them.

]]> By: Matt http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15111 Matt Sat, 17 Jan 2009 03:18:46 +0000 http://blogsecurity.net/?p=306#comment-15111 I try to wherever I come across it, like above. I try to wherever I come across it, like above.

]]> By: zonknz http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15110 zonknz Sat, 17 Jan 2009 02:09:13 +0000 http://blogsecurity.net/?p=306#comment-15110 Matt, can you enlighten us then what protections exist in wordpress to ensure valid code is being applied and you're not being MITM/dns poisoned and redirected in the wordpress core upgrade feature? Code signing? https against a know cert? Or as i assert, are you relying on dns to assert validity of code? Matt, can you enlighten us then what protections exist in wordpress to ensure valid code is being applied and you’re not being MITM/dns poisoned and redirected in the wordpress core upgrade feature?

Code signing? https against a know cert? Or as i assert, are you relying on dns to assert validity of code?

]]> By: DK http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15109 DK Sat, 17 Jan 2009 01:01:48 +0000 http://blogsecurity.net/?p=306#comment-15109 Matt, I have no problem with this but it would be nice seeing the door swing in both directions. Matt, I have no problem with this but it would be nice seeing the door swing in both directions.

]]> By: Matt http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15108 Matt Fri, 16 Jan 2009 21:49:48 +0000 http://blogsecurity.net/?p=306#comment-15108 It would be nice if Blogsecurity contributed to debunking common WP security myths or misconceptions like the above or in the Codex: http://codex.wordpress.org/CVEs It would be nice if Blogsecurity contributed to debunking common WP security myths or misconceptions like the above or in the Codex:

http://codex.wordpress.org/CVEs

]]> By: Matt http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15107 Matt Fri, 16 Jan 2009 21:42:10 +0000 http://blogsecurity.net/?p=306#comment-15107 Zonknz, that's a DB upgrade, which is completely separate from the core upgrade feature which downloads and installs new files. You conflated the two. "[Y]ou can run [whatever] code on the [targeted] blog" is completely wrong. Zonknz, that’s a DB upgrade, which is completely separate from the core upgrade feature which downloads and installs new files. You conflated the two. “[Y]ou can run [whatever] code on the [targeted] blog” is completely wrong.

]]> By: DK http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15101 DK Thu, 15 Jan 2009 21:17:29 +0000 http://blogsecurity.net/?p=306#comment-15101 zonknz, I completely missed this, thanks for bringing it to my attention. I'll write something up on this. zonknz, I completely missed this, thanks for bringing it to my attention. I’ll write something up on this.

]]> By: zonknz http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15100 zonknz Thu, 15 Jan 2009 19:43:31 +0000 http://blogsecurity.net/?p=306#comment-15100 Maybe you've seen this, maybe not. http://www.securityfocus.com/archive/1/499505/30/0/threaded Anyone can force an upgrade of wordpress from any location, unathenticated. Suppose you can dns poison, MITM , the download itself = you can run what ever code on the targetted blog. Doesn't appear to be any signing, or reliable way to tell that the automatic d/l you're applying has actually come from wordpress.org - the real one, that is. They appear to be relying on DNS! for security! Crazy, Crazy. Maybe you’ve seen this, maybe not.

http://www.securityfocus.com/archive/1/499505/30/0/threaded

Anyone can force an upgrade of wordpress from any location, unathenticated.

Suppose you can dns poison, MITM , the download itself = you can run what ever code on the targetted blog.

Doesn’t appear to be any signing, or reliable way to tell that the automatic d/l you’re applying has actually come from wordpress.org – the real one, that is. They appear to be relying on DNS! for security!

Crazy, Crazy.

]]> By: DK http://blogsecurity.net/wordpress/wordpress-security-predictions-in-2009/comment-page-1#comment-15099 DK Thu, 15 Jan 2009 12:13:17 +0000 http://blogsecurity.net/?p=306#comment-15099 Peter, it looks interesting, I'll check it out over the weekend, thanks for the link. Peter, it looks interesting, I’ll check it out over the weekend, thanks for the link.

]]>