The entire Wordpress ecosystem was nearly well and truly fucked
-
@Scarlet_Manuka said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Polygeekery said in The entire Wordpress ecosystem was nearly well and truly fucked:
Guns. I have lots of guns.
Good luck, I'm behind seven bullet-proof vests.
But what if he shoots you with eight bullets?
Everyone knows guns only have 6 bullets.
-
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Scarlet_Manuka said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Polygeekery said in The entire Wordpress ecosystem was nearly well and truly fucked:
Guns. I have lots of guns.
Good luck, I'm behind seven bullet-proof vests.
But what if he shoots you with eight bullets?
Everyone knows guns only have 6 bullets.
Except on TV. Then the magazine is infinite.
-
@dcon said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Scarlet_Manuka said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Polygeekery said in The entire Wordpress ecosystem was nearly well and truly fucked:
Guns. I have lots of guns.
Good luck, I'm behind seven bullet-proof vests.
But what if he shoots you with eight bullets?
Everyone knows guns only have 6 bullets.
Except on TV. Then the magazine is infinite.
Until reloading is relevant to the plot, of course
-
@dcon it depends if it's the good guy or the bad guy... bad guys have much more ammo but terrible aim.
-
Security is often very low on the list of concerns, especially in quick and dirty PHP projects. I've seen that so often, I can't really get surprised about it any more.
Just this week, I spent some time reviewing a commercial Magento extension¹ for security issues. I found:
- 3 different ways to read any file on the server that PHP can read,
- 5 different ways to upload any file to a certain directory on the server, including one that lets you overwrite the webserver's security configuration for that directory and then execute uploaded PHP code,
- a way to delete certain things the administrator has created in the backend,
- a way to overwrite other customers' uploaded files,
- a way to edit other customers' information, which lets you then XSS/XSRF those customers when they view that information.
Total time invested: 6 hours. And I'm by no means a security expert.
¹$999 a pop.
-
@DCoder but now you have Magento on you. But I am in no way surprised by the things you've found. It's common to any mid-size PHP application that wasn't built security-first (which is, basically, anything that thinks it's good enough to not need a framework to help them, or worse, rolled their own) or wasn't audited by someone shit-hot at security to fix all the issues.
-
@DCoder said in The entire Wordpress ecosystem was nearly well and truly fucked:
Magento
Fuck Magento with a a dead elephant's dick.
(And not just because they're a competitor)
-
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
And not just because they're a competitor
Also because it's good fun to play around with a dead elephant's dick?
-
I really want someone fucking competent to come along, and build a better WordPress that isn't full of donkey shit pretending to be 'code is poetry' bullwank.
I still find the 'famous 5 minute install' so bizarre because I'm a fucking web dev by profession and I frequently only just scraped it inside the 5 minutes. I don't believe 'real users' would actually manage it inside 5 minutes at all.
-
@anonymous234 said in The entire Wordpress ecosystem was nearly well and truly fucked:
I said "any competent company".
Can you give us some examples? I'm struggling here.
-
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
@DCoder said in The entire Wordpress ecosystem was nearly well and truly fucked:
Magento
Magento
I read that as 'Magneto'
-
@Arantor said in The entire Wordpress ecosystem was nearly well and truly fucked:
I still find the 'famous 5 minute install' so bizarre
Advertising slogans that aren’t 100% true … who would have thought?
-
@Arantor said in The entire Wordpress ecosystem was nearly well and truly fucked:
bullwank
Dead bull elephant wank. Apparently.
-
@anonymous234 said in The entire Wordpress ecosystem was nearly well and truly fucked:
If you're a small company, keeping a file completely private for years/decades can be very hard (what's stopping someone from breaking in at night into your server room and taking your hard drives?)
I'm happy with the physical security of the school server closet. It's at least as good as the physical security of the filing cabinets that contain paperwork of equal sensitivity.
I'm not anywhere near as happy with the physical security of the backyard cabin at my house, which is where I keep the school's disaster-recovery backup drives. That's why those drives are full-disk encrypted with dm-crypt, using a randomly generated key that's kept in two places: (1) in a file on the physically secure server I'm backing up over ssh onto those drives and (2) in my KeePass database, which is itself protected by a password with about 120 bits of entropy that I've committed to memory.
This is not hard.
If I were not happy with the physical security of the server closet, I would add two measures: full-disk encryption of the server drives and a power-cut switch hooked into the building's alarm system. Needing a trusted employee on site to start up the servers after a power outage would be a bit of a pain in the arse, but still eminently doable.
-
@Arantor said in The entire Wordpress ecosystem was nearly well and truly fucked:
bad guys have much more ammo but terrible aim
and they use tracers!
-
@dkf said in The entire Wordpress ecosystem was nearly well and truly fucked:
Dead bull elephant wank.
A four-word phrase I was not expecting to read today.
Or ever.
-
@RaceProUK It wasn't part of my plan for the day either. ;)
-
@sloosecannon said in The entire Wordpress ecosystem was nearly well and truly fucked:
Until reloading is relevant to the plot, of course
And usually the slide never locks open, so the good/bad guy can act all surprised if he pulls the trigger dramatically and only hears a click.
Also, when you fight for a gun, it does not matter if your fingers are close to the slide when the bad guy fires into the ceiling.
-
@dkf said in The entire Wordpress ecosystem was nearly well and truly fucked:
It wasn't part of my plan for the day either.
So ... it's a Sunday pas time?
-
@Luhmann said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
And not just because they're a competitor
Also because it's good fun to play around with a dead elephant's dick?
You can get seriously hurt trying to play with a live elephant's dick.
-
@RaceProUK said in The entire Wordpress ecosystem was nearly well and truly fucked:
@dkf said in The entire Wordpress ecosystem was nearly well and truly fucked:
Dead bull elephant wank.
A four-word phrase I was not expecting to read today.
Or ever.
When life gives you dead bull elephant cock, you make dead bull elephant wank.
-
@Arantor said in The entire Wordpress ecosystem was nearly well and truly fucked:
I still find the 'famous 5 minute install' so bizarre because I'm a fucking web dev by profession and I frequently only just scraped it inside the 5 minutes. I don't believe 'real users' would actually manage it inside 5 minutes at all.
Maybe it uses the same time scale as "god created the earth in 6 days". (hmm, am I even 1 minute old in that scale?)
-
@Lorne-Kates
I'll keep your advice in mind
-
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
Good luck, I'm behind seven bullet-proof vests.
Head shot.
-
@lolwhat said in The entire Wordpress ecosystem was nearly well and truly fucked:
Head shot.
-
@anonymous234 said in The entire Wordpress ecosystem was nearly well and truly fucked:
any competent company
And where are we again?
-
@flabdablet said in The entire Wordpress ecosystem was nearly well and truly fucked:
That's why those drives are full-disk encrypted with dm-crypt, using a randomly generated key that's kept in two places: (1) in a file on the physically secure server I'm backing up over ssh onto those drives and (2) in my KeePass database, which is itself protected by a password with about 120 bits of entropy that I've committed to memory.
And if the same event kills both the server and you?
-
@TimeBandit Was Moodle the one that alternatively asks you to provide FTP credentials so it can update itself via FTP? (OTOH, I don't really want to be reminded which particular tower of turd does that, I'm busy enough shining the one we're using at $ORK.)
-
@uschwarz most of the towers of turd have something akin to that going on. WP certainly used to before it did auto updating (which probably relies on this)
-
@uschwarz said in The entire Wordpress ecosystem was nearly well and truly fucked:
@TimeBandit Was Moodle the one that alternatively asks you to provide FTP credentials so it can update itself via FTP?
Not sure, I think I saw that in WordPress.
Anyway, when I saw it, my immediate reaction was:
Of course I will install an FTP server for you, right after I wipe all my computers and install TempleOS !!!
-
@Lorne-Kates >implying Wordpress isn't still well and truly fucked
-
@accalia said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
dunkin' donuts
E_TIM_HORTENS_HAS_BETTER_DONUTS
E_KRISPY_KREME
-
@Scarlet_Manuka said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Lorne-Kates said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Polygeekery said in The entire Wordpress ecosystem was nearly well and truly fucked:
Guns. I have lots of guns.
Good luck, I'm behind seven bullet-proof vests.
But what if he shoots you with eight bullets?
He's also behind 10 proxies
-
@flabdablet said in The entire Wordpress ecosystem was nearly well and truly fucked:
@Arantor said in The entire Wordpress ecosystem was nearly well and truly fucked:
bad guys have much more ammo but terrible aim
and they use tracers!
-
@JazzyJosh When I first saw the box art for that game, I couldn't figure out whether that character was a guy or a girl. I later learned he's a she.
-
WordpressMicrosoft Azure RHEL ecosystem was nearly well and truly fucked.http://ianduffy.ie/blog/2016/11/26/azure-bug-bounty-pwning-red-hat-enterprise-linux/
-
@Lorne-Kates We're OK then, as our Azure-hosted stuff is all on Windows Server :P
-
@dcon said in The entire Wordpress ecosystem was nearly well and truly fucked:
Then the magazine is infinite
Don't you mean clip?