There is a security advisory out regarding a Snoopy PHP Webclient vulnerability. Since WordPress uses Snoopy internally, we immediately double-checked to be sure that WP isn’t affected. It’s not.
WordPress uses Snoopy internally to fetch RSS feeds for display in the
Dashboard. But by default, all the URLs are hardcoded, and thus not vulnerable to the bug mentioned above. The only way that a WordPress site could be affected is if it had some sort of plugin that allowed users to supply custom feed URLs to the system, and the site had users that the admin could not trust (and who had enough access to provide their own feeds to the plugin).
Related posts:
- WP-Cache fix for Content-Type in feeds
" If you run a busy WordPress site, or even if your site just has a lot of processor-intensive plugins, then you probably already run..." - WordPress 1.5.2 Security FUD
" There is some misleading FUD going around about a vulnerability in WordPress 1.5.2. Let’s get this out of the way plainly: There is not..." - WordPress Security Update
" We were recently notified of a SQL injection bug in the WordPress code. Matt patched the code and updated the archive on the downloads..." - Text Filter Suite Plugin for WordPress
"Since Talk Like a Pirate Day is only three weeks away, I spent some time this weekend revamping my old Fun Filters hack. The result..." - Creating a secure WordPress install
" Over on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration,..."
2 Comments
Well thanks for the headsup Doug
I’m using Snoopy. It’s good stuff.
One Trackback
[...] geek ramblings » Snoopy PHP Webclient Security There is a security advisory out regarding a Snoopy PHP Webclient vulnerability. Since WordPress uses Snoopy internally, we immediately double-checked to be sure that WP isn’t affected. It’s not. [...]