Comments on: Black Hat 2008: Pwnie Award Ceremony

By: Security

Security — Tue, 18 Nov 2008 14:18:31 +0000

Now I understand how it works. Keep it up! I love this game.

By: Jim Spence

Jim Spence — Sat, 18 Oct 2008 23:38:07 +0000

Saturday I was searching for sites related to Search Engine Placement and specifically and found this site.

By: Abel Cheung

Abel Cheung — Sun, 17 Aug 2008 16:36:11 +0000

Under current design having ’secured’ wordpress plugin invocation sounds impossible. Plugins are basically just included into the core and invoked like the core does. Though some function hooks are available for sanitizing input, those functions are only optional, and no expose for the function occur at any plugin writing tutorials.

Until recent releases, wordpress press releases have a tradition of suppressing any security announcement in order to make it look good. This is still true right now if press release is written by Matt himself. Only when it is written by others (like Ryan Boren) did it at least mention something. In this area Matt exactly behaves like Linus Torvald (including svn changelog messages too), if not worse.

And my personal experience with security@wordpress.org is that, it’s yet another blackhole like those utterly dysfunctional vendors.

By: Dr. Mike Wendell

Dr. Mike Wendell — Wed, 13 Aug 2008 17:02:22 +0000

What’s really sad about WordPress outside of Matt’s lack of manners, his inability to function in society and it’s lack of security is that a full security audit has been mentioned and discussed previously but nothing has yet occurred. Gallery did one and they don’t have the millions to spend like Matt does.

You would have thought the number of times they’ve had their own sites hacked, security would have taken a step up in importance. Guess not.

But considering that Matt’s now spamming his own site where ever he can instead of paying any attention to the splogs on wp.com and ignoring reports about them, does anything surprise you anymore?

By: Dan Guido

Dan Guido — Tue, 12 Aug 2008 06:23:44 +0000

viper007bond: plugins are not the reason WordPress is insecure. You can check it’s history of security problems over at osvdb.org if you’re curious.

By: Viper007Bond

Viper007Bond — Thu, 07 Aug 2008 10:44:48 +0000

klintor:

I'm a bit of a noob, but I don't even see how that's physically possible in a PHP based environment. As far as I know, you can't easily run a PHP script in like a container or whatever.

The only way I can think of to provide a plugin capability that met your requirements was if the plugin was like a XML file or something that just toggled flags/parameters in the software -- a configuration file basically. You wouldn't be able to expand on the software at all and would pretty much defeat the purpose of having plugins or an API.

And by your definition then just about every piece of software on the web that has an API should get the same award. Look at Firefox, vBulletin, PunBB, etc. etc. etc. etc. They all load external files that could potentially compromise the security of the computer/server.

If you have some brilliant idea or method to solve the problem, then please by all means, say so. Assuming it's a reasonable solution, I'd be more than happy to contribute code towards such a solution for submission to the people that run the WordPress development.

By: klintor

klintor — Thu, 07 Aug 2008 09:24:24 +0000

viper:

A truly secure platform (or OS) shouldn’t allow 3rd party apps to introduce system-level vulnerabilities. Period

By: Viper007Bond

Viper007Bond — Thu, 07 Aug 2008 06:29:05 +0000

I’m confused about WordPress — how can you consider vulnerable 3rd party code (plugins) manually installed by the user a vulnerability of WordPress itself? Especially more so if the user opts not to keep the 3rd party code up to date?

It’s as if I installed Firefox on my computer, a vulnerability was found in Firefox, and then the OS was deemed insecure as a result.

Or am I missing something?