Comments on: 2in1 Security Bulletin

By: ???????? » ??????????????????????????????????

???????? » ?????????????????????????????????? — Fri, 08 Feb 2008 14:25:30 +0000

[...] WP-Cal (Weblog Tools Collection » Blog Archive » 2in1 Security Bulletin??) [...]

By: WordPress Wednesday News: WordPress 2.3.3 Security Must Upgrade, Plugins Vulnerable, Automatic Upgrades, and More : The Blog Herald

Thu, 07 Feb 2008 02:04:07 +0000

[...] Weblog Tools Collection reports vulnerabilities in Adserve WordPress Plugin v0.2 and WP-Cal WordPress Plugin. [...]

By: ?????????? ? ???????? wp-calc ? wp-adserv — ???????????? WordPress ??????

?????????? ? ???????? wp-calc ? wp-adserv — ???????????? WordPress ?????? — Mon, 04 Feb 2008 22:51:08 +0000

[...] WebLogTools ???????? ? ???? ????? ???????????, ????????? ? WordPress ????????: ??????? ??????? ?????????? SQL ???????? ? WordPress ??????? WP-Cal ?????? 0.? ??????? ??????? ???????? ???? “enter_the_dragon” ??????? ?? ?????????? ? WordPress ??????? Adserve Plugin version 0.2. [...]

By: BlogSecurity » Blog Archive » wp-calc & wp adserv plugin vulnerabilities

Mon, 04 Feb 2008 20:34:23 +0000

[...] at WeblogToolsCollection has reported two new vulnerabilities that have recently been found in WordPress plugins: Today, we [...]

By: Tadd

Tadd — Fri, 01 Feb 2008 16:01:26 +0000

Jeff - yeah I do enjoy these posts … not, like enjoy in as in a novel or movie … but I’m grateful that there are people who are helpful and point out problems with plugins that could bring your whole website down.

By: Jeffro2pt0

Jeffro2pt0 — Fri, 01 Feb 2008 12:18:05 +0000

@Alex Thanks for letting me know regardless. I was thinking of adding the prefix stuff to the codex article about hardening WordPress but because of the point you brought up, It’s better that I didn’t.

By: Alex

Alex — Fri, 01 Feb 2008 11:13:03 +0000

Jeffro: Er, that was meant ironic. I wrote that because the sentence “However, the malicious user must have knowledge of the database table prefix.” sounds like guessing the table prefix of a WordPress installation would be a substential blocker for an attacker. Btw, I also wouldn’t suggest changing the prefix, simply because there might be a bug in a plugin where wp_ is hardcoded. Unless you really have the necessity to change the prefix and you are ready to debug plugins, you should leave it.

By: Dhruva Sagar

Dhruva Sagar — Fri, 01 Feb 2008 05:46:05 +0000

This is really interesting, and nice information.
Very nice work done guys. By the way, do we have any workarounds around them from our side? any code changes you or anyone can suggest?

I think a work around, resolution should always be posted alongside such a vulnerability disclosure.

By: Jeffro2pt0

Jeffro2pt0 — Thu, 31 Jan 2008 22:30:13 +0000

@Alex I was checking out the Codex article for hardening WordPress and it is not suggested anywhere within the document to change the default database prefix.

@Tadd Do you enjoy these types of posts? Unfortunately, I see too many security related news posts for plugins but I can continue to write about the bulletins of you guys feel this is necessary.

By: Tadd

Tadd — Thu, 31 Jan 2008 15:17:32 +0000

See, this is why I love WordPress. The open community who would rather spread the information regarding the problem than exploit it. I remember working with a now defunct CMS that has a slew of holes. Rather than people letting everyone know, they would go around to any site they knew and would use the exploits - ruining all sites they found. Not very helpful.

BUT I’m glad WordPress community is good. Kudos.

By: Alex

Alex — Thu, 31 Jan 2008 14:30:34 +0000

However, the malicious user must have knowledge of the database table prefix.

What a good thing that the table prefix is not wp_ on 99% of the WordPress installations out there.