-
Defective by Design - HTML5 is so awesome you can screw it now. Congratulations. Tell W3C: We don't want the Hollyweb! - Get educated and spread the word! -
Issue 2.1 is out! (; as print version so far, not yet on the website.) Take a look at conferences and events to get as well all back issues of Libre Graphics magazine with a discount or just order online. -
Wordpress Licensing – hakre on wordpress- GPL: This Deserves a Special Mention, II
- b2/cafelog is GPL
- WordPress Changes GPL License Text Again
- Akismet Introduces GPL Version to WordPress (Updated 3x)
- Kses, GPL, Copyright, Licensing and Disclaimer
- WordPress, Copyright, Hello Dolly Lyrics, the GNU GPL and I
- WordPress Licensing Issues – Plugins are GPL, Right?
- WordPress Licensing Issues – On Showing License
- Relicensing of IXR – The Incutio XML-RPC Library (Day 15)
- WordPress Licensing Issues – NOOP (Day 8)
-
- Wordpress Questions (and Answers)
- An error has occurred; the feed is probably down. Try again later.
Tag Archives: Security
The Secure Programmer’s Pledge (by Anthony Ferrara; 16 Jul 2012)
WordPress: Vulnerability Statistics (CVE)
WordPress : Vulnerability Statistics (via CVE Details)
Many stops equal a U+002E full stop
HTTP Strict Transport Security (HSTS) –
Too Yellow to Name a Ticket – WordPress Security Bites Itself Again in 3.0.4 (Updated 2x)
WordPress 3.0.4 is out. What?! [UPDATE: The advisory is now online: Persistent XSS vulnerability – wordpress 3.0.3 (kses.php) ] Keep cool. There is an release (all 3.0.2 to 3.0.4 changes), but actually Matt Mullenweg is asking for a security review … Continue reading
Posted in Pressed
Tagged #16042, kses, Matt Mullenweg, Security, Wordpress, Wordpress Security, WP-2.9, WP-3.0, XSS
5 Comments
Websocket Protocol Vulnerability
Linked: Disabling the WebSocket protocol (by Anne van Kesteren; 08 Dec 2010). This HTML 5 looks to be a scary mess security wise. I hope the browser vendors do their jobs.
Slow Crawling Fixes
WordPress 3.0.2 went out some days ago. Announced as security release (full 3.0.2 Changelog) for the stable wordpress version. While taking a look into the changelog, I got a little flashback. The most prominent security issue was in fact an … Continue reading
Posted in Pressed, Surviving the Internet
Tagged #6644, Security, User Story, Wordpress, [7645]
3 Comments
WordPress.com on SSL
If you want to know about protecting your wordpress.com login with SSL, you can read the support page about it. It shows you the checkbox you need to tick. You need to enable it first (Users -> Personal Settings: Browser … Continue reading
Fun to Play: WordPress 3.0 Multisite SQL Injection Vulnerability Regression?
One reason why the MU Fork was re-introduced into the WordPress main trunk was that security updates did creep in very slow or not at all. Development went pretty low in the end of the fork. That left it open … Continue reading
Posted in Hacking The Core, Pressed
Tagged #5455, Multisite, Security, SQL Injection, Wordpress, WP-3.0
1 Comment
HTTP/HTML: Missing HTTP-Body/HTML on Redirect
This bothers me often: unfriendly redirects.
Posted in Code Smells, Hacking The Core, Surviving the Internet
Tagged #13909, HTML, HTTP, HTTP Body, HTTP Header, Quality Control, redirect, Security
Leave a comment
Prevent XSS on your wordpress Blog with CSP
CSP – short for Content Security Policy – is a Mozilla driven specification to reduce or eliminate a site’s XSS attack surface. In Ticket #10237 Denis De Bernardy suggested to implement the new Mozilla feature to prevent XSS. That was … Continue reading
Stripslashed to death? – End the Madness!
Another highly biased post with much #WTF potential as it’s typed on twitter: In WordPress there is some pretty stinky code. I always make a joke about the plain wrong slogan “Code is poetry” [sic!] where if that would be, … Continue reading
Posted in Surviving the Internet
Tagged #10360, #12416, #12935, #5791, Development, PHP, Rant, Security, Slashes, Wordpress, [11760]
3 Comments
Cheap Hack/Worm Protection for your WordPress Blog
This on its own might be only security done half, but I thought the idea is not that bad to spread the word. It can be normally setup in seconds on the various linux based hostings out there: disable eval. … Continue reading
Posted in Hacking The Core, Hakre's Tips, Tools, WordPress Support
Tagged #9602, Eval, Exploit, hack, PHP Security, Security, Sektion Eins, Stefan Esser, Suhosin, Wordpress, Wordpress Security, WP-2.8.5, WP-2.9
3 Comments
Bubbles
Was there a security Issue or wasn’t there for that what many wordpress users have been recently experienced in the beginning of April? Google is still full of in that way hacked wordpress sites.
Prevent Code Injection in PHP include files
While discussing Coding Standards it was not long ago I argued against adding ?> at the end of php files. But miqrogroove pointed to me an interesting aspect why it actually can make sense to have it and an additional … Continue reading
Posted in Code Smells, Hakre's Tips, PHP Code Smells, Pressed
Tagged Code Injection, Include, PHP, PHP Security, Return, Security
Leave a comment
Free PHP Security Poster
Ther germany located security company SektionEins, which is specialized on Webapplication and PHP security, has a freebie to offer: You can download or order a PHP Security poster. They even send it in format A0 for free to you within … Continue reading
Posted in Hakre's Tips, Pressed
Tagged PHP, PHP Security, Poster, Security, SektionEins, Stefan Esser, Suhosin
Leave a comment
PHP Open Basedir degrades Security (Bonus)
Some hosters are using the open_basedir restrictions because they think this makes hosting somewhat more secure. Well normally it is not because a hoster in need to enable it often shows that the system is not properly configured in respect … Continue reading
Posted in Pressed
Tagged #12148, open_basedir, PHP Security, phpass, Quality Control, Random, Security, Solar Designer
1 Comment
The short memory of WordPress.org security
For the wordpress project it’s said: If you find a bug, report it. That’s the same if it is security related. For those who feel – for whatever reason – uncomfortable to publicize it in trac directly, can shoot an … Continue reading
Posted in Hacking The Core, Patched, Pressed
Tagged #11236, #11401, caesarsgrunt, PHP Security, Ryan Boren, Security, Thomas Mackenzie, Wordpress, WP, WP-2.9.2
10 Comments
mysql_real_escape_string and SET NAMES
In #11819 I was so hardly looking for a clear documentation for mysql_real_escape_string() combined with the usage of SET NAMES. I finally found it where I should have looked first: within the MySQL manual. PHP is using the MySQL client library … Continue reading
Posted in Hacking The Core
Tagged Database, MySQL, PHP, PHP Security, Security, Wordpress, WP
Leave a comment
hakre on wordpress 
Enhancing Feeds: Comment RSS Security
There is a known bug in WordPress that is about displaying feeds for private posts publicly. If you’re using the private post feature, you should consider taking a look to this plugin which is not officially available in the plugin … Continue reading →