Comments on: Is it really that unbelievable? http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/ Just another WordPress.com weblog Sun, 02 Nov 2008 08:10:45 +0000 http://wordpress.com/ hourly 1 By: Robert Deaton http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-10 Robert Deaton Tue, 26 Sep 2006 23:11:36 +0000 http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-10 Heh, you're asking the wrong developer. If it was up to me, the db backup plugin would be in the core indefinitely. See the second paragraph <a href="http://comox.textdrive.com/pipermail/wp-testers/2006-September/002957.html" rel="nofollow">here</a>. Heh, you’re asking the wrong developer. If it was up to me, the db backup plugin would be in the core indefinitely. See the second paragraph here.

]]> By: skippy http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-9 skippy Tue, 26 Sep 2006 21:31:43 +0000 http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-9 Then the current situation is no different from any of the discovered vulnerabilities in previous versions of WordPress that sat, unpatched for long periods of time prior to the next official release of WordPress. And the fact that admin privileges are required to exploit the directory traversal vulnerability makes this even more on par with some of the core vulnerabilities that also required admin privileges to execute. Why make a big push to resolve this, when "just wait for the next release" was sufficient for the core vulnerabilities? Then the current situation is no different from any of the discovered vulnerabilities in previous versions of WordPress that sat, unpatched for long periods of time prior to the next official release of WordPress.

And the fact that admin privileges are required to exploit the directory traversal vulnerability makes this even more on par with some of the core vulnerabilities that also required admin privileges to execute. Why make a big push to resolve this, when “just wait for the next release” was sufficient for the core vulnerabilities?

]]> By: Robert Deaton http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-8 Robert Deaton Tue, 26 Sep 2006 19:44:00 +0000 http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-8 I don't want to be misunderstood. The above post is not saying that the plugin currently has vulnerabilities that have been left unfixed. However, no WordPress release has been made with a fix for the directory traversal vulnerability, and the above people questioned whether or not the vulnerability exists at all, not whether it had been fixed. As for why they weren't good citizens, I'm not really sure. The closest I can come to finding the other issues Ryan mentioned were the changes <a href="http://trac.wordpress.org/changeset/3815" rel="nofollow">[3815]</a> and <a href="http://trac.wordpress.org/changeset/4049" rel="nofollow">[4049]</a> because of missing current_user_can checks. Really, those should have been reported upstream. But let me clarify, there has been no publically released fix. The only fix available is in branches/2.0/ at the moment, and should be in 2.0.5. I don’t want to be misunderstood. The above post is not saying that the plugin currently has vulnerabilities that have been left unfixed. However, no WordPress release has been made with a fix for the directory traversal vulnerability, and the above people questioned whether or not the vulnerability exists at all, not whether it had been fixed.

As for why they weren’t good citizens, I’m not really sure. The closest I can come to finding the other issues Ryan mentioned were the changes [3815] and [4049] because of missing current_user_can checks. Really, those should have been reported upstream.

But let me clarify, there has been no publically released fix. The only fix available is in branches/2.0/ at the moment, and should be in 2.0.5.

]]> By: skippy http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-7 skippy Tue, 26 Sep 2006 15:06:45 +0000 http://robert.wordpress.com/2006/09/25/is-it-really-that-unbelievable/#comment-7 Matt <a href="http://comox.textdrive.com/pipermail/wp-testers/2006-September/002976.html" rel="nofollow">has acknowledged</a> that there are no known vulnerabilities with the backup plugin. The directory traversal vulnerability is the <em>only</em> vulnerability for which I could find any public evidence, despite Ryan's claim that it was the third. Why weren't the Automattic guys the good citizens they want everyone else to be by reporting the problems upstream to me? I'd appreciate it if you could set the record straight: there was a problem, it was fixed, and now WP-DB-Backup shares the same status as WordPress itself: "believed secure, until proven otherwise". Matt has acknowledged that there are no known vulnerabilities with the backup plugin.

The directory traversal vulnerability is the only vulnerability for which I could find any public evidence, despite Ryan’s claim that it was the third. Why weren’t the Automattic guys the good citizens they want everyone else to be by reporting the problems upstream to me?

I’d appreciate it if you could set the record straight: there was a problem, it was fixed, and now WP-DB-Backup shares the same status as WordPress itself: “believed secure, until proven otherwise”.

]]>