Comments on: WordPress Cross Site Scripting Vulnerability in templates.php Uncovered

By: How to Handle Security Flaws | Technosailor.com

How to Handle Security Flaws | Technosailor.com — Sat, 29 Nov 2008 20:49:44 +0000

[...] 5, 2007 · 12 comments Yesterday, over at Blog Herald, the new management demonstrated the entirely wrong way of handling security flaws. (The flaw I detailed [...]

By: Andy Merrett

Andy Merrett — Thu, 11 Jan 2007 00:38:12 +0000

If we’re talking about estimations lowering and being cemented then I’m finding one right now. There’s a certain tone coming from some that takes an otherwise useful message and turns it into “Listen to me. I’m a coder. I’m wonderful. I’m right”. Maybe that’s what some networks do to people, but it’s a shame to see how the person I thought I was getting to know last year (before they switched networks) has gone all corporate and UTOA.

Still, it doesn’t matter much as I guess they won’t be reading BH for much longer.

By: WeRoam saves the day: Updating WordPress to latest release | PHP Magazine

WeRoam saves the day: Updating WordPress to latest release | PHP Magazine — Mon, 08 Jan 2007 05:28:47 +0000

[...] The intermittent connection has made me dependent these past few days on the PLDT WeRoam account temporarily assigned to my wife. WeRoam isnâ€™t as fast as Globelines BQ (before the quake) but with it, I manage to check my mails and browse â€œmust-visitâ€ sites such as del.icio.us and Lifehacker. I seldom visit, let alone log into, my blog these days because of the awful connection speeds. Luckily, I managed to open my Google Reader an hour back and read JAngeloâ€™s post about a vulnerability in WordPress, the open source script I use in this site. I promptly logged into my blog and found that version 2.0.6 has been released. [...]

By: Recommended Update: WordPress 2.0.6 at The Blog Herald

Recommended Update: WordPress 2.0.6 at The Blog Herald — Sun, 07 Jan 2007 20:33:06 +0000

[...] Blog Software Jan 7 at 6:31 pm by Markku Seguerra -In light of the recently reported cross–site scripting vulnerabilities in WordPress, version 2.0.6 has been released to address the said issues in the templates.php file as detailed in these entries from Operation N and Security Focus. (As cited in our related coverage.) [...]

By: Mark

Mark — Sun, 07 Jan 2007 18:26:26 +0000

Okay. I stand corrected. But still, maybe we can do without the nasty vibe a wee bit.

By: Aaron Brazell

Aaron Brazell — Sun, 07 Jan 2007 13:20:13 +0000

Mark: I said nothing about the story until after WordPress 2.0.6 was officially released. That is, not a beta version, but the offiicial version. I didn’t even say anything on Blog Herald. Granted, I didn’t see it here until after 2.0.6 was released or I probably would have said something privately.

David:

1. Blog Herald is not the sole irresponsible party here. But they are the one with the biggest bullhorn. The original posters that were quoted also bear responsiblity. And what about the people who don’t read BH that use WordPress. Are they responsible finding out about the “patch” provided here and implementing it for themselves?

2. Where is this debate? It seems the only debate is between black hat and white hat hackers. Do you subscribe to Bugtraq? Do you see the thousands of bug reports that are reported every month?

As for WordPress’ fix, yeah – they rushed 2.0.6 out the door because of stuff like this being public and in the process broke something else because it was a rush job. Now they have to look at 2.0.7 to fix that. Come on, don’t give me what is responsible and what is not.

3. See #2.

4. No one but now hackers know and the rest of the world knows.

By: David Kierznowski

David Kierznowski — Sun, 07 Jan 2007 08:51:37 +0000

Let me put the record straight:

1. A patch was provided with the original advisory. Therefore, not only was a problem advertised but a solution provided. So who is being irresponsible? The one not spreading the word or the one pointing out the problem and offering a solution.

2. There is much debate (still) over what is responsible and what is irresponsible with how one releases security holes. In this case a fix was provided with the problem, not to mention WordPress had an overnight patch.

3. If it is irresponsible for the security community to publish holes, is it not also irresponsible for the software vendor who is releasing a package to the public that has not been sufficiently tested?

4. Who says attackers didn’t already know about the vulnerability?

Nuff said.

By: Mark

Mark — Sun, 07 Jan 2007 04:44:51 +0000

Jeremy- I think that this is understood now and the way you put it here is fine. One lives and learns by one’s mistakes.

What I don’t get, however, is the way that such feedback is delivered by Aaron Brazell- who is essentially enflaming a story that he himself claims should not be for public consumption, both here and on his own blog.

Wouldn’t the best way for him to have handled things, given the correct protocol, been to have privately contacted BH editorial staff and asked that the post be taken down? I am sure that he would have received a positive response.

In the end of the day, I would hope that we’re all pretty much on the same side.

By: Jeremy Wright

Jeremy Wright — Sat, 06 Jan 2007 23:19:58 +0000

For the record, it’s considered irresponsible in security circles to publish or publicize bugs where the software’s creators are currently working actively on a patch (and when the patch is only days away).

Sure, the Blog Herald didn’t publish the details initially, but they still broadened interest in it needlessly. It’s not a public service if there isn’t anything appropriate the public can do to protect themselves.

By: Big Roy

Big Roy — Sat, 06 Jan 2007 16:07:52 +0000

As an independent observer. I think this comment thread reflects more on Mr. Brazell than it does Mr. Racoma’s post.

By: Tony

Tony — Sat, 06 Jan 2007 15:43:46 +0000

I guess we’ll have to work doubly hard, then. ;)

By: Aaron Brazell

Aaron Brazell — Sat, 06 Jan 2007 14:32:17 +0000

Tony: My opinion wasn’t changed. It was merely cemented.

By: Tony

Tony — Sat, 06 Jan 2007 05:46:08 +0000

I think what Aaron was commenting on was the usual way of dealing with vulnerabilities and exploits to minimize the chance of publicizing the vulnerabilities to hackers.

However, without speaking too much for Angelo, I think I’ll agree with Abe here — the intention was never to do the wrong thing in pursuit of the scoop.

If this security publishing faux pas has changed your opinion about the BlogHerald, I’m sorry for that — but I think our new columnists are doing their damndest to try and make it better.

And hopefully in the New Year we can make you a believer too. ;)

Cheers,
Tony.

By: Wordpress 2.1′e az kala | Blog ve Wolkanca.Com - Evden iÅŸe iÅŸten eve Blog!

Sat, 06 Jan 2007 04:55:27 +0000

[...] WordPress 2.1′e az kala wolkanca Kategori: Blog blog, Guvenlik, Guvenlik aciklari, Surum yukseltme, wordpress WordPress 2.06 sÃ¼rÃ¼mÃ¼, geliÅŸtiricilerinin blogunda yazÄ±ldÄ±ÄŸÄ±na gÃ¶re 2.0 serisinin sonu, bundan sonra Ã§Ä±karÄ±lacak sÃ¼rÃ¼mler 2.1 iÃ§in Ã¶n hazÄ±rlÄ±k olacakmÄ±ÅŸ. 2.05 sÃ¼rÃ¼mÃ¼nde acemide okuduÄŸuma gÃ¶re XSS aÃ§Ä±ÄŸÄ± varmÄ±ÅŸ, bende bu yÃ¼zden hemen blogu 2.06 ya yÃ¼kseltmeyi dÃ¼ÅŸÃ¼nÃ¼yorum. Worpress mizin sÃ¼rÃ¼mÃ¼nÃ¼ yÃ¼kseltmek iÃ§in her zamanki gibi WordPress TÃ¼rkiye belgelerinden faydalanÄ±yoruz. [...]

By: Abe Olandres

Abe Olandres — Sat, 06 Jan 2007 04:45:31 +0000

Hello Aaron,

It wasn’t as if we were the ones who first discovered the vulnerability prior to v2.0.6, so it wasn’t a “scoop” for us. If you read the post again, you will notice several links to the original sites which cited the problem.

Our intention is to inform and warn people of such vulnerabilities and help them find ways to fix it. Our motive was clear. If you didn’t see the good intention, some other readers & WP users might. While you look at it as irresponsible, some of us look at it as cautiously responsible. We’ll just have to settle with the fact that we can’t really please everybody with what we deliver to our readers.

By: How to Handle Security Flaws » Technology, Blogging and New Media

How to Handle Security Flaws » Technology, Blogging and New Media — Sat, 06 Jan 2007 03:04:29 +0000

[...] Yesterday, over at Blog Herald, the new management demonstrated the entirely wrong way of handling security flaws. (The flaw I detailed here) [...]

By: Aaron Brazell

Aaron Brazell — Sat, 06 Jan 2007 02:26:45 +0000

It was released before WP 2.0.6. As it happens, I knew about one of the flaws weeks ago but you didn ‘t see me post anything on it, did you? The reality is thousands of people use WordPRess and all you can offer them for your hand flailing is a beta version of WordPress 2.0.6.

I think it’s wiser for you to study up on how to handle these issues in the future. It makes you a better citizen. My flailing trust in BH has slipped further due to your demonstrated irresponsibility.

By: J. Angelo Racoma

J. Angelo Racoma — Sat, 06 Jan 2007 02:21:09 +0000

Aaron,

It wasn’t a scoop–the news would’ve spread even without us posting about it, so I thought it best to post this as a warning. Patching WP to fix bugs would always be a good idea.

By: WeRoam saves the day: Updating WordPress to latest release | Leon Kilat ::: The Cybercafe Experiments

Fri, 05 Jan 2007 21:30:30 +0000

[...] The intermittent connection has made me dependent these past few days on the PLDT WeRoam account temporarily assigned to my wife. WeRoam isn’t as fast as Globelines BQ (before the quake) but with it, I manage to check my mails and browse “must-visit” sites such as del.icio.us and Lifehacker. I seldom visit, let alone log into, my blog these days because of the awful connection speeds. Luckily, I managed to open my Google Reader an hour back and read JAngeloâ€™s post about a vulnerability in WordPress, the open source script I use in this site. I promptly logged into my blog and found that version 2.0.6 has been released. [...]

By: Aaron Brazell

Aaron Brazell — Fri, 05 Jan 2007 20:42:58 +0000

It’s a shame BH couldn’t have acted more responsibly and waited for 2.0.6 to be released before announcing an XSS flaw to the blogging world that predominantly uses WordPress. Sometimes the “scoop” isn’t the wisest choice.

By: WordPress’in 2.0.6 versiyonu yayÄ±nlandÄ± » Acemi Blogcu

WordPress’in 2.0.6 versiyonu yayÄ±nlandÄ± » Acemi Blogcu — Fri, 05 Jan 2007 19:37:03 +0000

[...] BugÃ¼n iÅŸ dÃ¶nÃ¼ÅŸÃ¼ evde her zamanki gibi NewsGator’Ä± kontrol ederken The Blog Herald‘da WordPress 2.0.5′de keÅŸfedilen bir XSS aÃ§Ä±ÄŸÄ±ndan bahsedildiÄŸine rastladÄ±m. GÃ¼venlik aÃ§Ä±ÄŸÄ± nedeni ile “Acaba henÃ¼z beta durumundaki WordPress 2.0.6′ya mÄ± yÃ¼kseltsem?” diye dÃ¼ÅŸÃ¼nÃ¼rken v2.0.6′nÄ±n wordpress.org’da yayÄ±nlandÄ±ÄŸÄ±nÄ± farkettim ve tabii hemen gÃ¼ncelledim. Kendinizi daha rahat hissetmenizi saÄŸlayacak bu olayÄ± size de tavsiye ederim :) [...]

By: WordPress Cross Site Scripting Vulnerability in templates.php | Content Writing and CopyWriting Blog

Thu, 04 Jan 2007 22:41:38 +0000

[...] A Blog Herald post talks about the scripting vulnerability in WordPress templates.php file and how to eliminate it: [...]

By: J. Angelo Racoma

J. Angelo Racoma — Thu, 04 Jan 2007 20:28:46 +0000

David,

We all speak Greek (or Geek?) every once in a while. I have a few friends who remind me of that often. Thanks for warning everyone with that WP vulnerability. I’ve a lot of blogs to fix!

Big Roy,

Thanks for the vote of confidence. We’re hoping people would notice the change.

By: Big Roy

Big Roy — Thu, 04 Jan 2007 18:21:07 +0000

I started reading The Blog Herald before I ever started my own blog. As time went on I found I wasn’t really happy with the tone being set.

I have to say the “new” Blog Herald is a big change. The articles are useful, original, and enjoyable to read. It’s obvious you guys aren’t just rehashing a bunch of stuff from other blogs.

This isn’t a dig at Matt in any way. I like him a lot and his writing. He gave me one of the first links to my blog.

Thanks for the heads up on WordPress.

By: Wednesday Links

Wednesday Links — Thu, 04 Jan 2007 15:39:43 +0000

[...] WordPress Cross Site Scripting Vulnerability Uncovered [...]