Re: Day of bugs in WordPress 2

["MustLive" <mustlive () websecurity com ua>]

Hello guys!

I'm glad that I gave you such occasion for discussion. Even it was just an
announcement :-).

As I already told Canberk (from Full-disclosure), at 30.07.2010 I've already
conducted my new project. And if in first Day of bugs in WordPress I
published 81 vulnerabilities, then in second project I published 8
vulnerabilities, but all of them are interesting (especially the
more complex holes). Soon I'll publish English descriptions of these
vulnerabilities (one by one the three advisories which I made in the
project) to Bugtraq and Full-disclosure mailing lists.

Concerning using text editors in context of security. As you can understand
using text editors doesn't influence directly on improving security. And
Christian wrote arguments about that. It's one thing to write webapps for
the site from scratch, and other thing to use existent software (and in both
cases webapps can be vulnerable) - e.g. people can use text editors for
editing scripts in WordPress or Drupal. From other side, if people are using
text editors for developing their sites (even on CMS), then it's require
higher level of knowledge for them, so they need to be more advanced web
developers (which in result leads to improving of security of their sites).

Valdis also wrote good arguments on this topic. So there are indirect
benefits of using text editors (aka advanced web developing approach), as
concerning security, as concerning quality of content in Internet.

Summarizing, not using of text editor itself leads to improving of security,
but it's about attitude to security. If people attend to security of their
webapps and web sites (regardless of what plain text editor or WYSIWYG
editor they are using), then it'll lead to improving of security.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "coderman" <coderman () gmail com>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Friday, July 30, 2010 1:02 AM
Subject: Re: [Full-disclosure] Day of bugs in WordPress 2


> On Thu, Jul 29, 2010 at 1:56 PM, MustLive <mustlive () websecurity com ua>
> wrote:
> > ...
> > I want to inform readers of the list about new project - Day of bugs in
> > WordPress...
>
> Hewlett Packard has a soul mate! anyone who cares uses Drupal or other
> decent [0] and the wp people keep patching vulns via one-off escapes
> and parameter renaming.
>
> my condolences if diligence deems more than a few hours requisite for
> such audit amusement. ;)
>
>
>
> 0. of course, Real (TM) women/men/earth-human hackers code their own
> python gevent based publishing pipe...


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/