post-page

2in1 Security Bulletin

12
responses
by
 
on
January 31st, 2008
in
WordPress Security
heading
heading
heading
12
Responses

 

Comments

  1. Alex (10 comments.) says:

    However, the malicious user must have knowledge of the database table prefix.

    What a good thing that the table prefix is not wp_ on 99% of the WordPress installations out there. ;)

  2. Tadd (89 comments.) says:

    See, this is why I love WordPress. The open community who would rather spread the information regarding the problem than exploit it. I remember working with a now defunct CMS that has a slew of holes. Rather than people letting everyone know, they would go around to any site they knew and would use the exploits – ruining all sites they found. Not very helpful.

    BUT I’m glad WordPress community is good. Kudos.

  3. Jeffro2pt0 (164 comments.) says:

    @Alex I was checking out the Codex article for hardening WordPress and it is not suggested anywhere within the document to change the default database prefix.

    @Tadd Do you enjoy these types of posts? Unfortunately, I see too many security related news posts for plugins but I can continue to write about the bulletins of you guys feel this is necessary.

  4. Dhruva Sagar (15 comments.) says:

    This is really interesting, and nice information.
    Very nice work done guys. By the way, do we have any workarounds around them from our side? any code changes you or anyone can suggest?

    I think a work around, resolution should always be posted alongside such a vulnerability disclosure.

  5. Alex (10 comments.) says:

    Jeffro: Er, that was meant ironic. I wrote that because the sentence “However, the malicious user must have knowledge of the database table prefix.” sounds like guessing the table prefix of a WordPress installation would be a substential blocker for an attacker. Btw, I also wouldn’t suggest changing the prefix, simply because there might be a bug in a plugin where wp_ is hardcoded. Unless you really have the necessity to change the prefix and you are ready to debug plugins, you should leave it.

  6. Jeffro2pt0 (164 comments.) says:

    @Alex Thanks for letting me know regardless. I was thinking of adding the prefix stuff to the codex article about hardening WordPress but because of the point you brought up, It’s better that I didn’t.

  7. Tadd (89 comments.) says:

    Jeff – yeah I do enjoy these posts … not, like enjoy in as in a novel or movie … but I’m grateful that there are people who are helpful and point out problems with plugins that could bring your whole website down.

  8. John (1 comments.) says:

    Any patch yet for WP-Cal? I’ve had it disabled now for a while and would mind switching it back on.



Trackbacks/Pingbacks

  1. […] at WeblogToolsCollection has reported two new vulnerabilities that have recently been found in WordPress plugins: Today, we […]

  2. […] WebLogTools ???????? ? ???? ????? ???????????, ????????? ? WordPress ????????: ??????? ??????? ?????????? SQL ???????? ? WordPress ??????? WP-Cal ?????? 0.? ??????? ??????? ???????? ???? “enter_the_dragon” ??????? ?? ?????????? ? WordPress ??????? Adserve Plugin version 0.2. […]

  3. […] Weblog Tools Collection reports vulnerabilities in Adserve WordPress Plugin v0.2 and WP-Cal WordPress Plugin. […]

  4. […] WP-Cal (Weblog Tools Collection » Blog Archive » 2in1 Security Bulletin??) […]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php