Comments on: The WordPress Security Update http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/ News, opinion, and fresh thinking for web developers and designers. The official podcast of sitepoint.com. Tue, 02 Dec 2008 07:47:31 +0000 http://wordpress.org/?v=2.5 By: itlitjacgg http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-191421 itlitjacgg Thu, 01 Mar 2007 08:34:43 +0000 927626957#comment-191421 <a href="http://vtxtqvl.com" rel="nofollow">jitcplm</a> jitcplm

]]> By: wvrvvspovp http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-190964 wvrvvspovp Wed, 28 Feb 2007 15:31:18 +0000 927626957#comment-190964 Hi! Very nice site! Thanks you very much! tivwxiewjipe Hi! Very nice site! Thanks you very much! tivwxiewjipe

]]> By: JiggyWittit http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-15144 JiggyWittit Mon, 06 Mar 2006 13:54:24 +0000 927626957#comment-15144 Kewl blog you got goin on up here. Peace, JiggyWittit Kewl blog you got goin on up here.
Peace, JiggyWittit

]]> By: TreeFrog http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-14283 TreeFrog Wed, 22 Feb 2006 03:41:58 +0000 927626957#comment-14283 Terrific Blog you have. Peace Out. TreeFrog Terrific Blog you have. Peace Out.
TreeFrog

]]> By: DDDSoft http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-13913 DDDSoft Mon, 13 Feb 2006 13:27:19 +0000 927626957#comment-13913 Thx, This a good site! http://dddsoft.com Thx, This a good site!

http://dddsoft.com

]]> By: WordPress - XOOPS CHINA http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-9870 WordPress - XOOPS CHINA Thu, 13 Oct 2005 03:44:25 +0000 927626957#comment-9870 [...] 好久没上SitePoint的网站,今天在调试一个程序时用到它的rss,偶然发现它居然不知从什么时候换成了WordPress,偷偷摸摸的,就像The WordPress Security Update里所争论的 [...] […] 好久没上SitePoint的网站,今天在调试一个程序时用到它的rss,偶然发现它居然不知从什么时候换成了WordPress,偷偷摸摸的,就像The WordPress Security Update里所争论的 […]

]]> By: ce http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-8139 ce Fri, 19 Aug 2005 08:36:45 +0000 927626957#comment-8139 about the PHP :-) a) mentioned on the download site!!! the right place is the front page!!! I will never check the download page if there is no new version. now I have a file called php-5.0.4.tar.bz2 I should check EVRY TIME if it is the correct file (I still have somewhere this buggy file) b) lacking files from PEAR ok, not a security problem, but still a bug c) you never say never :-) P.S. I don't know wordpress at all (haven't heart of it until now), I am just disapointed by PHP from their style of development the last few months/years, and I am pressed to try alternatives thats all (just a fit of nerves) peace! :-)) about the PHP :-)
a) mentioned on the download site!!! the right place is the front page!!! I will never check the download page if there is no new version. now I have a file called php-5.0.4.tar.bz2 I should check EVRY TIME if it is the correct file (I still have somewhere this buggy file)
b) lacking files from PEAR ok, not a security problem, but still a bug
c) you never say never :-)

P.S. I don’t know wordpress at all (haven’t heart of it until now), I am just disapointed by PHP from their style of development the last few months/years, and I am pressed to try alternatives thats all (just a fit of nerves) peace! :-))

]]> By: Stefan http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-2418 Stefan Wed, 31 Dec 1969 19:00:00 +0000 927626957#comment-2418 <p>Just a "little" correction. </p> <p>"Dougall admits that the first downloadable archive to be posted on wordpress.org didn't contain all the security fixes they intended to include..."</p> <p>This sounds as if they only forgot to put a fix into the release, but this is simply not true, because I downloaded the 1.5.2 release tarball to check if they had really fixed the SQL holes that I had reported. I realised that those were fixed and so I checked how they fixed the remote code execution. It turned out, that this fix was worth nothing because it was easy bypassable and so I sent them a patch to fix it. (7 hours before the replacement)</p> <p>And there are enough timestamps in the subversion tree, the release tarball and the blog posting, to prove, that the announcement was made ATLEAST 4 hours and 45 minutes before the tarball was replaced, and that the original tarball was created 9 hours before the replaced one.</p> Just a “little” correction.

“Dougall admits that the first downloadable archive to be posted on wordpress.org didn’t contain all the security fixes they intended to include…”

This sounds as if they only forgot to put a fix into the release, but this is simply not true, because I downloaded the 1.5.2 release tarball to check if they had really fixed the SQL holes that I had reported. I realised that those were fixed and so I checked how they fixed the remote code execution. It turned out, that this fix was worth nothing because it was easy bypassable and so I sent them a patch to fix it. (7 hours before the replacement)

And there are enough timestamps in the subversion tree, the release tarball and the blog posting, to prove, that the announcement was made ATLEAST 4 hours and 45 minutes before the tarball was replaced, and that the original tarball was created 9 hours before the replaced one.

]]> By: Stefan http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-2419 Stefan Wed, 31 Dec 1969 19:00:00 +0000 927626957#comment-2419 <p>"Amusingly, it appears that hours after the blog post went live, Stefan renamed the post's title to 'WordPress - irresponsible silent tarball update' without notice."</p> <p>So the term "Update:" is no notice of changes? And you really compare a changed blog entry title with a silently fixed remote code execution hole? And btw. the blog title was changed only minutes and not hours after the Post. </p> <p>It was bad luck that planet-php and other aggregators were fast enough to get the explicit title. However it underlines that even in a very very short timewindow downloads are possible.</p> “Amusingly, it appears that hours after the blog post went live, Stefan renamed the post’s title to ‘WordPress - irresponsible silent tarball update’ without notice.”

So the term “Update:” is no notice of changes? And you really compare a changed blog entry title with a silently fixed remote code execution hole? And btw. the blog title was changed only minutes and not hours after the Post.

It was bad luck that planet-php and other aggregators were fast enough to get the explicit title. However it underlines that even in a very very short timewindow downloads are possible.

]]> By: Anonymous http://www.sitepoint.com/blogs/2005/08/18/the-wordpress-security-update/#comment-2420 Anonymous Wed, 31 Dec 1969 19:00:00 +0000 927626957#comment-2420 <p>PHP itself did such a thing with 5.0.4 or 5.0.3 (I don't remember exactly) and it is quite a stupid thing for a mature project :-(</p> PHP itself did such a thing with 5.0.4 or 5.0.3 (I don’t remember exactly) and it is quite a stupid thing for a mature project :-(

]]>