WordPress and Drupal teams collaborate for simultaneous security releases

Photo of author
Written By Brian Krogsgard

9 thoughts on “WordPress and Drupal teams collaborate for simultaneous security releases”

  1. Methinks the 10’s of thousands of folks who’ve had their servers brought down over the past couple months due to mass xmlrpc.php connections might have a different opinion about this being a “minor issue.”

  2. Hi Brian

    You are incorrect here:

    The bug itself is relatively minor, but of interest is the collaboration between the WordPress and Drupal teams to create a fix.

    One of the pillars of security is Availability. This bug has wide ranging impacts. Sites / servers could be brought down in an instance. It took us 15 minutes to replicate and create a script to attack. Some minor modifications and we can create a bot to attack as many Drupal and WordPress installs on the web.

    I can assure you that People will not agree this is minor.

    Thanks

    Tony

    • I agree availability is important. It’s also worth noting the vulnerability I focused on is not one that allows code execution, and only happens when XML RPC is enabled. A site going down is better than a site being used to send out additional malicious activity.

      I wasn’t trying to downplay a vulnerability, I was telling an interest story of collaboration between the two CMS’ security teams and the reporter.

      Also, with auto-updates on the vast majority of sites (last 3 major versions) it’s a vulnerability that has a short shelf life.

      Nevertheless, point noted.

  3. As usual a great post. I think that the fact that such collaboration between some of the the most important developers in Drupal and WordPress happened is much more interesting than the vulnerability itself.

Comments are closed.

A2 Hosting
WordPress.com