08.16
Welp, I upgraded my blogging software, WordPress, to version 1.5.2 that among other things “addresses all of the security issues that have been circulating the past few days”.
Yeah, that’s nice. I looked and, at least the exploits I’ve seen, all seem to require 'register_globals' turned on in your php.ini file. In this day and age who actually leaves that setting on? I sure don’t.
Here’s the thing though, I still upgraded. Why? Because it’s a good idea to. In fact, it’s a freaking no brainer.
Interestingly last week I was researching vulnerabilities on the two main blogging packages my employer (oh c’mon, you didn’t think I’d miss a chance to pick on my employer, did you?) uses. I discovered several that were quite serious and when I pointed them out, I got the run around.
To be fair (well, a little fair anyway) my direct employer was much more open to updating and understood the seriousness (perhaps because they’ve already been 0wn3d once through the crappy forum software they use). That they don’t have the knowledgable assets on staff to do the upgrade is an issue for someone else to address 
.
Anyway, from the more remote operation, I got the same old excuses:
- It doesn’t effect us
- Upgrading is hard
- We’re not live yet
Which, of couse can all be addressed, in order, with:
- stupid
- stupid
- stupid
Once upon a time I’d just exploit their offending server and forward the results to senior directors. I’ve done that before and it generally nets results . Of course while everyone is soooooo thankful for me pointing out their fly is open, folks are quick to qualify their thanks with nuggets like “…in the future…” and “…a little more professional…”.
So now I just rant on my blog about it. Would you like some cheese with your whine?.
Nice.
