lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 13 May 2011 11:06:13 -0430
From: Kernel Panic <lkernelpanic@...il.com>
To: John Jacobs <flamdugen@...mail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: WordPress DB Dump - "Spammers Delight"

while is a matter of concern (being the sql dumps the worst) I think this is
more an admin/maintainer problem than wordpress'

wordpress isn't the only one able to use backup jobs or other type of dumps
of data, it's a common thing, but should be a concern to the owner or
hosting provider or whomever takes care of updates/backups to secure either
the locations of such dumps or the dumped files

On Fri, May 13, 2011 at 10:37, John Jacobs <flamdugen@...mail.com> wrote:

>
> Hello FD,
>
>
>
> There appear to be multiple WordPress powered sites that are performing
> an DB->XML dumb of the articles and subsequent pages.  The comments
> section includes originating IP address, datetime, E-Mail address,
> homepage, etc.  These entities are traditionally not exposed to the
> anonymous
> Internet via WordPress.  Since the XML dump is structured it's quite easy
> to harvest
> this data.
>
>
>
> More alarming is the volume of sites freely exposing this.  I'm not certain
> of the
> root cause but perhaps it's related to an upgrade procedure.  Google is
> happily
> indexing and caching these dumps as it appears they're created in the
> attachment system (URI ?attachment_id=\d+) with an HREF to the actual
> dump.
>
>
>
> A simple Google search below will return a multitude of sites.  Perhaps
> someone on the WordPress side can comment on this behavior?
>
>
>
> Google Query - inurl:uploads ".xml_.txt" wordpress
>
>
>
> Another tasty query seems to be harvest of the MySQL database backup:
>
>
>
> Google Query - inurl:uploads ".sql.txt" wordpress
>
> Finally, I don't use WordPress so I really can't comment on severity.  At a
> minimum I believe this violates an implied level of privacy when commenting
> on articles powered by WordPress -- the E-Mail address and IP information is
> exposed in these DB dumps.
>
>
>
>
> Cheers,
>
> John "Be Nice" Jacobs
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ