Feeds

back to article Wordpress backup vuln published

A remote execution vulnerability has been discovered in Wordpress backup utility BackWPup. According to Sydney (Australia) company Sense of Security, which published the advisory along with a proof-of-concept, the vulnerability allows local or remote PHP files to be passed to a component of the utility. “The input passed to the …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

This is a plugin vulnerability, not core wordpress.

So I think the headline could reflect this.

3
0
Thumb Down

What a non-story ....

The headline makes out that this is a WordPress problem. It's not, it's a problem affecting a single plugin [One of the many WordPress "backup" plugins] which is installed on a small number of WordPress installs (Going by the stats on wordpress.org).

In other news, the number 73 to Camberwick Green ran 5 minutes late this morning ... yawn

2
0
Bronze badge

We're adults and we aren't amused by this.

"The input passed to the component wp_xml_export.php via the ‘wpabs’ variable allows the inclusion and execution of local or remote PHP files as long as a ‘_nonce’ value is known. The ‘_nonce’ value relies on a static constant which is not defined in the script meaning that it defaults to the value ‘822728c8d9’."

To my fellow readers: There isn't anything funny here, is there? Because you're a grownup, aren't you? Good.

1
0
Troll

Nonce

Number used Once - no really, that's what Wordpress say it is (despite the fact that they use their 'nonces' for a period of 24 hours)

Maybe someone should send them some old episodes of Porridge...

0
0
Thumb Up

Linguistic differences can be such fun...

I recall when the "nonce" was proposed on the WP development mailing list[1], that somebody or other did post a link to urban dictionary as a hint that this might not be the best word to use, but it didn't catch anyone important's attention...

I suspect that devs who speak UKEnglish kept quiet for amusement purposes. Much the same way that apparently nobody told George Lucas that "Yarael Poof[2]" wasn't an altogether ideal name for a member of the Jedi Council...

[1] Called WP-Hackers[2], presumably so people can laugh at the occasional persion joining to offer credit card numbers, or ask for help getting into someone else's email account...

[2] Name seen in credits, character only in the background.

[2] Yes, *we* all know that hackers doesn't mean that, but since lots of other people don't, it's a losing battle...

0
0
This topic is closed for new posts.