It has come to my attention…

by tmac on Feb.16, 2010, under Hacks, Personal, Projects

It has come to my attention that some people are upset about the bug that I have found in WP as apparently someone else had reported it.

Well the truth is that looking into it now that has been the case. The reason that I did not find it before is that the bug wasn’t named how I myself thought it should have been. Non the less this person did find the bug and do deserve credit in the sense that they did try to go to WP to explain but were not successful.

caesarsgrunt – http://profiles.wordpress.org/caesarsgrunt

You c an find more information here – http://hakre.wordpress.com/2010/02/16/the-short-memory-of-wordpress-org-security/

Please note I put a lot of hard work into finding and emulating this bug and I emailed WordPress directly with the advisory and I also have screen shots on how exactly the bug itself works.

10 Comments for this entry

Paul
February 16th, 2010 on 3:37 pm
[quote]
WordPress Blog
WordPress 2.9.2
Posted February 15, 2010 by Ryan Boren. Filed under Releases.

Thomas Mackenzie alerted us to a problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2. As always, you can visit the Tools->Upgrade menu to upgrade.
[/quote]

The quote above is taken from
http://wordpress.org/development/2010/02/wordpress-2-9-2/

It just states that “Thomas Mackenzie alerted us… ”
If one reads carefully, this doesn’t say that
Thomas Mackenzie is the only one or the first one
who discovered this issue.

It just states that Thomas Mackenzie alerted WP.org about the issue.

And it’s a good thing.
tmac
February 16th, 2010 on 3:49 pm
Thanks for your support Paul
Dave
February 16th, 2010 on 10:31 pm
Hello, I reported the same issue over a week ago.
http://wordpress.org/support/topic/361956?replies=2#post-1398509

Is there a better way to report bugs to wp?
tmac
February 16th, 2010 on 10:34 pm
I sent an email to security@wordpress.org before your post and got no reply. I then wrote the advisory as seen below and then got a reply within an hour.
dafiDRiau
February 17th, 2010 on 1:32 pm
i dont know about the bug but thanks for your information and i have upgrade to 2.9.2
Denis Kristanda
February 17th, 2010 on 2:29 pm
People should not be jealous if wordpress.org choose to mention your name, I guess it’s in a way a “thank you” for your effort.

And it happened in every aspect to life: you need to make it public to get attention. The risk is: either you get the sympathy or you got the ridicule. People usually doesn’t want to take the risk and end up with just silent. So, they cannot then claim the credit if somebody else took the extra effort and get the mention.

Just my opinion. Thanks to help makes wordpress even better !
tmac
February 17th, 2010 on 2:34 pm
Thanks for your kind comment, and I hope you continue to read the blog
Dave
February 17th, 2010 on 8:25 pm
Hello, I was wondering because all my websites and most of my clients websites run on wordpress. A bug such as this is fairly bad for a large website. I wanted to see if there was a better way of reporting a bug so that I can make sure my team direct it correctly next time.

Many thanks
tmac
February 17th, 2010 on 10:01 pm
Hi Dave, I have sent you an email about this.
mike thornley
February 20th, 2010 on 11:44 pm
Also aware of the vulnerability and have updated my Wordpress. Thanks for the post!.