Is it really that unbelievable?
September 25, 2006
(15:36:38) (Caius) masquerade: “security issues” isn’t clear, its an quick excuse, if it was a proper reason then he should back it up with evidence or a description.
And if one wasn’t bad enough…
I’m still not clear on whether or not the plugin has a security vulnerability, from wp-testers archives
Believe it. Follow the wp-svn mailing list and you know its true. If you search bugtraq for the vulnerability, its the first result. Heck, if you visit skippy’s site, you’ll see that it exists. Just for giggles, I googled it too. Believe it yet? I don’t know about you, but if I was the lead author of software on hundreds of thousands of blogs, I wouldn’t just go around spouting off about a security vulnerability that doesn’t exist.
As a sidenote after discussion, yes, security issues may be a poor justification. I don’t want to be misunderstood, I agree that it might be a silly excuse, a poor excuse, a petty excuse, etc., but I wouldn’t doubt when Matt says that there were security issues. If anything, you should be questioning how worthy that makes the plugin of being removed entirely, like this.
September 26, 2006 at 3:06 pm
Matt has acknowledged that there are no known vulnerabilities with the backup plugin.
The directory traversal vulnerability is the only vulnerability for which I could find any public evidence, despite Ryan’s claim that it was the third. Why weren’t the Automattic guys the good citizens they want everyone else to be by reporting the problems upstream to me?
I’d appreciate it if you could set the record straight: there was a problem, it was fixed, and now WP-DB-Backup shares the same status as WordPress itself: “believed secure, until proven otherwise”.
September 26, 2006 at 7:44 pm
I don’t want to be misunderstood. The above post is not saying that the plugin currently has vulnerabilities that have been left unfixed. However, no WordPress release has been made with a fix for the directory traversal vulnerability, and the above people questioned whether or not the vulnerability exists at all, not whether it had been fixed.
As for why they weren’t good citizens, I’m not really sure. The closest I can come to finding the other issues Ryan mentioned were the changes [3815] and [4049] because of missing current_user_can checks. Really, those should have been reported upstream.
But let me clarify, there has been no publically released fix. The only fix available is in branches/2.0/ at the moment, and should be in 2.0.5.
September 26, 2006 at 9:31 pm
Then the current situation is no different from any of the discovered vulnerabilities in previous versions of WordPress that sat, unpatched for long periods of time prior to the next official release of WordPress.
And the fact that admin privileges are required to exploit the directory traversal vulnerability makes this even more on par with some of the core vulnerabilities that also required admin privileges to execute. Why make a big push to resolve this, when “just wait for the next release” was sufficient for the core vulnerabilities?
September 26, 2006 at 11:11 pm
Heh, you’re asking the wrong developer. If it was up to me, the db backup plugin would be in the core indefinitely. See the second paragraph here.