[wp-docs] security issues

Craig Hartel milquetoast at telus.net
Tue May 18 19:19:52 CDT 2004 

I think that this message would have been more effective without the
editorializing. Sometimes people just don't communicate well. So, maybe
there was a misunderstanding, and that should be between you, Brian, and
Matt.



-----Original Message-----
From: docs-bounces at wordpress.org [mailto:docs-bounces at wordpress.org] On
Behalf Of Brian Shirk
Sent: Tuesday, May 18, 2004 5:02 PM
To: docs at wordpress.org
Subject: [wp-docs] security issues


Hey guys, I have a random issue that needs some looking at; I already tried
talking to Matt, but he was a bit of a jerk to me and was talking down to me
after giving me a few non-solutions, so I'm just going to put this out there
and let you guys deal with it.  Don't involve me in it.

Last night, I was looking through the code because I was having some
problems with a site that runs wordpress (which I do not own or have root
access to).  I found that by setting the file upload directory to, say,
/tmp/, I was able to upload files to places I'm not authorized to upload
them to by the server's administrator.  Turns out that there are no safety
checks whatsoever (how is this not a security issue, matt?), and there is no
notification in the docs (especially not the installation stuff) about this
'feature'.  Since everything that gets uploaded is supposed to be 0766 and
on the default installation there is no separation of virtual hosts or
sites, that's a pretty big deal - defacing, setting up unauthorized porn
sites, etc, would be pretty simple.

I was told that the solution does not involve WordPress, and that I should
just set up separate virtual servers (on a server I don't own) - which is a
bad idea in the first place, given the necessary overhead, and that there's
also an extension to PHP which could help (something that sets it so it'll
only be able to write in a certain subtree, etc) - which is great, but it's
not at all documented, and so the default installation (as detailed in the
5-minute-install) leaves gaping security holes, especially on systems such
as the one of which my family uses which are basically boxes dedicated to
thousands of wordpress instances.  

This is a serious issue and needs to be fixed.  (Don't try to argue with me
on that - I was able to test it on a production system, and the
administrator would had no way of knowing how I did it because it is not
sufficiently documented)

Good luck
-Brian Shirk

_______________________________________________
docs mailing list
docs at wordpress.org http://wordpress.org/mailman/listinfo/docs_wordpress.org

-- 
Incoming mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.241 / Virus Database: 262.10.1 - Release Date: 5/16/2004

More information about the docs mailing list