
Script kiddies have awesome tools  - iamelgringo
http://dow.ngra.de/2008/11/04/script-kiddies-have-awesome-tools/
======
tptacek
Wordpress has had a catastrophic history of insecure code, based on a number
of basic design flaws:

* Reliance on ad-hoc hand-coded SQL.

* A system that registers psuedonymous Internet commenters in the same user table as Wordpress administrators.

* Mishandling of internationalization.

Yes, Wordpress is also the most popular blogging platform, and yes, it's also
much more dynamic than its competitors, but phpBB and vBulletin seem to have
had better track records than Wordpress have. It's just not very secure.

~~~
gopher
Basically, Wordpress is written in PHP and this is the root of all evil.

Let's look at the roots of PHP: it was never designed as a programming
language, it was a tiny script language used to create Rasmus Lerdorf's
website. Thus, it has a lot of oddities like the === operaor.

Do you know why it it is there? Because they wrote a broken instr() wrapper
and messed up the error handling. And instead of doing one thing right, they
added another obfuscation layer. Great design.

Then, PHP was traditionally used by webdesigners, not programmers. This lead
to tons of bad code and bad practices. It is not that you cannot write elegant
code in PHP, but there is so much more bad code around that it is hard to find
the good code.

So, why do wonder about this?

~~~
bprater
Can we stop this argument already?

Real hackers can appreciate every damn language out there. If it weren't for
Basic in the early 80s, I wouldn't be programming now.

PHP is a wonderful gateway language for a generation of web programmers. It is
installed on every webserver and is always ready to rock-n-roll. No other
language has achieved that level of ubiquity.

~~~
tptacek
No. We can have a productive discussion about whether a language and its
frameworks are conducive to secure coding without it devolving into a language
war. We're adults here, and there are more than just stylistic differences
between PHP and its competitors.

------
Haskell
Anyone that have read Wordpress' source code should not be surprised that it
is the most exploited piece of software on the web.

It was not created by programmers. It was created by web designers (hence its
great visual design).

Wordpress was probably the only company that has migrated from Ruby to PHP
(when they purchased Gravatar).

~~~
ivank
Not just one. Derek Sivers: "I spent two years trying to make Rails do
something it wasn’t meant to do, then realized my old abandoned language (PHP,
in my case) would do just fine if approached with my new Rails-gained wisdom."

[http://www.oreillynet.com/ruby/blog/2007/09/7_reasons_i_swit...](http://www.oreillynet.com/ruby/blog/2007/09/7_reasons_i_switched_back_to_p_1.html)

------
timcederman
Here's the script.

<http://madnet.name/eng/files/1/10.html>

------
martey
Most of the blog exploits on the web (including the one in the article) seem
to be focused on WordPress. Are there are a large number of people exploiting
vulnerabilities in other blogging platforms, like Movable Type?

~~~
mmagin
First, I assume this is for the same reason that most viruses are for Windows
-- WordPress is one of the most common species in the ecosystem.

Also, If I understand the architecture of Movable Type correctly, it renders
much of the site into static pages. I would expect that this tends to reduce
the number of points where vulnerabilities would be possible, at least as far
as points where it might be exploited via causing it to execute with malicious
parameters via an HTTP request. i.e. In Wordpress, every page you load is the
result of the execution of some PHP scripts, while in a blog that is rendered
to a bunch of static files, it's conceivable that the only thing that
unauthenticated users can mess with is the comment system.

~~~
omouse
Yep, much of Movable Type is static. I think there is an option for dynamic
pages but by default it's static.

------
charlesju
This happened to one of my old wordpress blogs, I had to delete the whole
thing. That's why I just use blogspot through Google now, it's not worth the
time to keep track of all the updates and stuff.

------
alecco
Now point-and-click kiddies are the rage. Scripts are so 90s.

"No sympathy for the devil, keep that in mind. Buy the ticket, take the ride."

