Hello Jerry,
On Thu, 2010-12-02 at 15:34 -0800, Jerry Franz wrote:
And in an exact example of this, today I needed to update some WordPress (WP) installations. Only, for "some reason" the FTP based autoupdater didn't work today.
Do you feel comfortable letting a web application update itself using FTP or even SSH credentials?
http://wordpress.org/support/topic/filesystem-credentials-very-bad-practice-...
https://bugzilla.redhat.com/show_bug.cgi?id=659294
The patch shown in http://core.trac.wordpress.org/changeset/16625
prompted me to try a
$ grep -r "=\ %s"" *
in the web root of a WordPress installation. The matches are a bunch of possible SQL injections. Haven't checked the actual code paths, but note how all these strings are unescaped and potentially allow the addition of extra statements using ';'.
Regards, Leonard.