9 Responses

  1. Jim Walker

    Methinks the 10’s of thousands of folks who’ve had their servers brought down over the past couple months due to mass xmlrpc.php connections might have a different opinion about this being a “minor issue.”

    1. Andrew Nacin

      You may be thinking of some clever attempts to abuse pingbacks, but this was not a vulnerability we believe was seen in the wild at all.

  2. Tony Perez

    Hi Brian

    You are incorrect here:

    The bug itself is relatively minor, but of interest is the collaboration between the WordPress and Drupal teams to create a fix.

    One of the pillars of security is Availability. This bug has wide ranging impacts. Sites / servers could be brought down in an instance. It took us 15 minutes to replicate and create a script to attack. Some minor modifications and we can create a bot to attack as many Drupal and WordPress installs on the web.

    I can assure you that People will not agree this is minor.



  3. Hristo Pandjarov

    As usual a great post. I think that the fact that such collaboration between some of the the most important developers in Drupal and WordPress happened is much more interesting than the vulnerability itself.

  4. Morten

    Working every day with Drupal and WordPress it’s awesome to know that you guys are working together. thumbs up :-)

  5. Ben

    Is this affecting WordPress 3.4 too?

Leave a Reply