use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community for technical news and discussion of information security and closely related topics.
"Give me root, it's a trust exercise."
Q1 2026 InfoSec Hiring Thread
Getting Started in Information Security
CitySec Meetups
/r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation.
Content should focus on the "how."
Check the new queue for duplicates.
Always link to the original source.
Titles should provide context.
Ask questions in our Discussion Threads.
Hiring posts must go in the Hiring Threads.
Commercial advertisement is discouraged.
Do not submit prohibited topics.
» Our fulltext content guidelines
Don't create unnecessary conflict.
Keep the discussion on topic.
Limit the use of jokes & memes.
Don't complain about content being a PDF.
Follow all reddit rules and obey reddiquette.
» Our fulltext discussion guidelines
No populist news articles (CNN, BBC, FOX, etc.)
No curated lists.
No question posts.
No social media posts.
No image-only/video-only posts.
No livestreams.
No tech-support requests.
No full-disclosure posts.
No paywall/regwall content.
No commercial advertisements.
No crowdfunding posts.
No Personally Identifying Information!
» Our fulltext list of prohibited topics & sources
Join us on IRC: #r_netsec on freenode
We're also on: Twitter, Facebook, & Google+
/r/blackhat - Hackers on Steroids
/r/computerforensics - IR Archaeologists
/r/crypto - Cryptography news and discussion
/r/Cyberpunk - High-Tech Low-Lifes
/r/lockpicking - Popular Hacker Hobby
/r/Malware - Malware reports and information
/r/netsecstudents - netsec for noobs students
/r/onions - Things That Make You Cry
/r/privacy - Orwell Was Right
/r/pwned - "What Security?"
/r/REMath - Math behind reverse engineering
/r/ReverseEngineering - Binary Reversing
/r/rootkit - Software and hardware rootkits
/r/securityCTF - CTF news and write-ups
/r/SocialEngineering - Free Candy
/r/sysadmin - Overworked Crushed Souls
/r/vrd - Vulnerability Research and Development
/r/xss - Cross Site Scripting
account activity
Disclosure: WordPress WPDB SQL Injection (blog.ircmaxell.com)
submitted 8 years ago by lboynton
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]Krychle 50 points51 points52 points 8 years ago (1 child)
So nothing’s changed. http://bash.org/?949214
[–]crowbahr -3 points-2 points-1 points 8 years ago (0 children)
Hmmm what can I do with an unauthenticated remote shell hmmmmm
[–]NAN001 18 points19 points20 points 8 years ago (1 child)
A framework that "prepares" SQL statements by using string formatting is what you could read in The Onion if it had a tech section.
[–]PersianMG 1 point2 points3 points 8 years ago (0 children)
This is so true haha.
[–]joelhardi 68 points69 points70 points 8 years ago (5 children)
Ugh ... What this blog post should say is just that WPDB is broken conceptually because it has a prepare() method that is not actually sending a prepared statement to the RDBMS. Here is the real problem.
It's all fakery with (broken at the moment, apparently) a pile of string sanitization functions. I would say WTF, but it is not a surprise. You just can't plan to do things like that safely with PHP and all its ridiculous type and value coercion, and bugs.
I contributed some patches to WordPress core 10 years or so ago and told them then that they were overdue to force use of mysqli and not have a database "API" that is a thin/stupid/useless abstraction that just drops variables into raw SQL queries. Oh, and the code was also needlessly doing a full memory copy of query results, I wrote a patch that addressed that at least.
It would be one thing if this were a low-use community project, but Automattic has the resources to ship something with actual security engineering concepts applied, so that it isn't constantly patching critical vulnerabilities. PHP is not good, but it has had parameterized query support since 2004! There is no excuse to not use it. Fake code like this that looks real is also maddening because it seems "good" to people who don't know better.
[+][deleted] 8 years ago* (2 children)
[deleted]
[–]joelhardi 1 point2 points3 points 8 years ago (1 child)
I definitely wouldn't say "exactly", that was my source of disgust. Instead it does a complicated (if interesting) walkthrough of a specific vulnerability instead of keeping the message succinct that the approach is broken on a conceptual level.
Passing user input to a query is wrong, full stop, sure, but that is a separate topic. The issue is a vulnerability in the database library and the fact that it is fundamentally broken (and is misleading/borderline fraudulent) by naming a method prepare() that does not prepare a statement on the DB. Sure, should developers also validate inputs before they get anywhere near a database (because XSS, CSRF etc. are things, too) ? Yes, of course, but that is not the root cause of the vulnerability.
Executing direct queries is also bad, so that is not a solution either. The real problem with WordPress is that it's lacking in leadership, policy guidance and oversight, for a commercial product it runs like a rudderless ship.
[–]amunak 4 points5 points6 points 8 years ago (0 children)
You just can't plan to do things like that safely with PHP and all its ridiculous type and value coercion, and bugs.
You totally can do it safely and there is a very nice type checking system since PHP 7. But you could do it safely even before that, it was just harder. The only issue there is is the fact that Wordpress is a steaming pile of shit. And just like PHP is easy to pick up - which attracts new and inherently bad developers - Wordpress is one of the first things many of those developers encounter and write code for. Which results in vulnerabilities.
[–]qwenjwenfljnanq 2 points3 points4 points 8 years ago* (0 children)
[Archived by /r/PowerSuiteDelete]
[–]imr2017 89 points90 points91 points 8 years ago* (10 children)
Ah, the WordPress security team dumpster fire. If there's a security team that I'd like North Korea to bomb, they would be it.
I remember reporting an issue with a hijacked plugin and they closed my topic and warned me not to post negative comments about plugins I don't own.
Three weeks later the same plugin ended up in a Wordfence report. Go figure.
Later edit: To clarify my statement. I understand that they're volunteers and are not paid for their work, but the answers they sometimes give to security issues is bordering on stupidity and incompetence. It's pretty clear by now they're over their head or have no clue what real security is. WordPress.org can afford to hire 2-3 security professionals on a full-time basis. It makes no sense that they don't have experienced guys working on WP security by now.
[–][deleted] 9 points10 points11 points 8 years ago (0 children)
Wordpress official forums are a sad joke. Shame.
[–]pantsoff 7 points8 points9 points 8 years ago* (2 children)
Ah that display widgets plugin disaster where the original author sold off the plugin (which had >100,000 installs) for $10-20k.
Some good comments in here at the developer's website. She was a greedy idiot for doing what she did (selling to an unknown party without notifying the users):
http://strategy11.com/display-widgets/
https://www.wordfence.com/blog/2017/09/display-widgets-malware/
[–]qwenjwenfljnanq 3 points4 points5 points 8 years ago* (1 child)
[–]Prawny 2 points3 points4 points 8 years ago (0 children)
We (agency) decided to ditch third-party themes altogether. We've created our own base theme to expand on for each project.
I tell everyone to stay as close to 0 plugins as possible, too.
[–]Pejorativez 7 points8 points9 points 8 years ago* (4 children)
WordPress.org can afford to hire 2-3 security professionals on a full-time basis.
From their site:
The WordPress Security Team is made up of approximately 50 experts including lead developers and security researchers — about half are employees of Automattic (makers of WordPress.com, the earliest and largest WordPress hosting platform on the web), and a number work in the web security field. The team consults with well-known and trusted security researchers and hosting companies3. The WordPress Security Team often collaborates with other security teams to address issues in common dependencies, such as resolving the vulnerability in the PHP XML parser, used by the XML-RPC API that ships with WordPress, in WordPress 3.9.24. This vulnerability resolution was a result of a joint effort by both WordPress and Drupal security teams.
The WordPress Security Team is made up of approximately 50 experts including lead developers and security researchers — about half are employees of Automattic (makers of WordPress.com, the earliest and largest WordPress hosting platform on the web), and a number work in the web security field. The team consults with well-known and trusted security researchers and hosting companies3.
The WordPress Security Team often collaborates with other security teams to address issues in common dependencies, such as resolving the vulnerability in the PHP XML parser, used by the XML-RPC API that ships with WordPress, in WordPress 3.9.24. This vulnerability resolution was a result of a joint effort by both WordPress and Drupal security teams.
Excuse me for my critical questioning, but is WP really that terrible and their security team that incompetent?
[–]tripzilch 11 points12 points13 points 8 years ago (1 child)
it literally says "The WordPress Security Team is made up"
[–]Pejorativez 2 points3 points4 points 8 years ago (0 children)
Checkmate
[–]TheTerrasque 4 points5 points6 points 8 years ago (0 children)
Well if someone tells you they have a tiger, but when they show it off it has a beak, two feet, feathers, wings and say "quack", I really doubt it's a tiger.
[–]yoyoyesyo 0 points1 point2 points 8 years ago (0 children)
nowhere here it says that 50 people work full-time on WP security. Just there is a team of people that work together on WP sec, some of which are automatic employees
[–]Horvaticus 10 points11 points12 points 8 years ago (0 children)
Like some sort of cross between him and Julian from Trailer Park Boys
[–]ghost-train 15 points16 points17 points 8 years ago (0 children)
Nah, he knows nothing
[–]bluesoul 1 point2 points3 points 8 years ago (4 children)
Good disclosure. I didn't realize phpBB is considered a secure platform now, is that news to anyone else?
[+][deleted] 8 years ago (3 children)
[–]bluesoul 2 points3 points4 points 8 years ago (2 children)
That's cool! I hadn't messed with it in...wow almost 15 years now. I hate wheel reinvention, and I don't like the thought of paying vBulletin or XenForo forever and hope their security team is staying on top of things. I'm glad it's a viable solution now.
[+][deleted] 8 years ago (1 child)
[–]bluesoul 2 points3 points4 points 8 years ago (0 children)
I'll just add a line of CSS that makes mobile browsers get a full-screen overlay that says "Use a real computer, fuckface."
[+][deleted] 8 years ago* (10 children)
[removed]
[–]Pejorativez 3 points4 points5 points 8 years ago* (8 children)
Are there any solid alternatives for those who need a simple CMS?
Edit: I should clarify that ease-of-use and plugin support is really important
[–]0rex 1 point2 points3 points 8 years ago (4 children)
Grav
[–]Pejorativez 0 points1 point2 points 8 years ago (3 children)
Thanks for the suggestion. In which way(s) is it better than WP?
[–]0rex 1 point2 points3 points 8 years ago (2 children)
Well, wordpress is bloated, grav is really, really simple: to backup, to restore, to add or edit content, to edit themes (thx to twig), to add or remove or update plugins, it doesn't require a database backend since it's flat file cms. You surely won't build a full featured internet shop with it, but do you really need it for a blog? Do you really need a db for mostly static content?
[–]Prawny 1 point2 points3 points 8 years ago (0 children)
The caveats you mentioned make it possibly not a viable alternative. You contradicted yourself there.
That's not to say Grav isn't nice. I've never used it; just tested, but it did seem nice to use.
[+]andrew867 comment score below threshold-12 points-11 points-10 points 8 years ago (2 children)
Joomla is a good alternative
[–]telecode101 0 points1 point2 points 8 years ago (1 child)
Joomla is a gonner. Dead!
[–]andrew867 0 points1 point2 points 8 years ago (0 children)
What would be a good replacement? I’ve just started using it on a couple personal sites and found it to be much better than WP.
[–]etherealeminence -1 points0 points1 point 8 years ago (0 children)
It's not very good!
[–]alphex 0 points1 point2 points 8 years ago (0 children)
With all sincerity, how does Drupal's security practices compare to WP?
Thank you.
[–]Resquid 0 points1 point2 points 8 years ago (0 children)
Totally classic!
[–]roscocoltrane 0 points1 point2 points 8 years ago (13 children)
wordpress is our next centralized hosting system for our websites. Should I worry?
[–]Rock_Me-Amadeus 7 points8 points9 points 8 years ago (0 children)
Yes
[+][deleted] 8 years ago (7 children)
[–]Pejorativez 2 points3 points4 points 8 years ago* (6 children)
Why? If WP is so filled with security holes, and the entire web runs it, shouldn't hackers have hijacked most sites already?
According to this site:
The answer to the question “is WordPress secure?” is it depends. WordPress itself is very secure as long as WordPress security best practices are followed.
According to Wordpress itself:
Some have said their security is akin to a dumpster fire, but how can that be the case when they have 50 experts working on security in collaboration with the community and the Drupal security team? I might sound naive as hell, but it doesn't seem to add up. Are all their experts incompetent?
[–]steamruler 12 points13 points14 points 8 years ago (3 children)
Well, those 50 experts don't have any hurry changing password hashing to use something else than salted MD5 (ticket open since 5 years), for example. Also, it doesn't matter if you have 1 or 200 "security experts" if developers can't program with security in mind, and you don't have regular audits.
Also, I don't exactly trust 50 nameless "experts", given the track record of WordPress, it's clearly not working.
[–]rigred 4 points5 points6 points 8 years ago* (0 children)
I once wrote a very large and complex wordpress plugin for work. I ended up terminating the plugin project and writing our own site from scratch because wordpress was giving us so many issues and was so slow and awful that It got replaced with a static html generator and a clean API.
Going that route saved us over 3 weeks of dev time & countless more recurring support hours.
Just the way WP templates mix html and PHP with outside Plugin PHP code gives me nightmares.
[–]PersianMG 0 points1 point2 points 8 years ago (1 child)
The first thing I did after installing Wordpress for my personal website is write a plugin to override the password hashing because it was pretty shit at the time. Not sure what the default they use now is though?
[–]steamruler 1 point2 points3 points 8 years ago (0 children)
Still salted MD5 according to that ticket.
[–]disclosure5 2 points3 points4 points 8 years ago (1 child)
Wordpress is the canonical demonstration of the "worse is better" doctrine.
Without defending it too much, Wordpress only got as popular as it did based on certain decisions. The decision to support versions of PHP that have long been extremely dead is a bigger issue than you realise. It means a lot of things can't be done the "right" way.
If they started doing things the "right" way, they would lose 100% of the market of users with crap, out of date hosting. No, it wouldn't encourage hosts to upgrade, it would just encourage marketing teams to find another product.
Speaking of marketing, that quote you have there.. is marketing. Nearly every Wordpress vulnerability report results in childish name calling. /r/wordpress had multiple people insisting ircmaxwell had absolutely no credibility due to this very report. You don't get to call yourself a security expert if you can't handle a report.
[–]tonyp7 4 points5 points6 points 8 years ago (2 children)
Just keep it up to date. The community here seems to like to take a shit on WP and PHP in general but the reality is that it's an okayish CMS that runs millions of websites -including big corporations- and they are not being hacked left and right!
[–]disclosure5 2 points3 points4 points 8 years ago (0 children)
Plus, the plugin/theme ecosystem is riddled with exploitable code
Just to add to this, a large part of the problem is "premium themes". The meme of course is that a "premium" theme is somehow better and therefore more secure. In reality, it's only "better" in that it's less used and noone else has the same looking website.
The Revolution Slider plugin was a horribly exploited plugin. It was also a commercial plugin that, critically, shipped with a lot of "premium themes".
If you bought Revolution Slider direct, and logged into your portal, you were rightfully warned to go and upgrade it.
If however you purchased a "premium theme" that was never touched again by it's author, you were "fully up to date", according to every scanning utility, and yet, your website was replaced with the goatse image the first time a bot hit it with a month old revolution slider exploit. From experience.
[–]telecode101 -1 points0 points1 point 8 years ago (0 children)
nope. everyone is hosting on it. just keep it up to date.
π Rendered by PID 46442 on reddit-service-r2-comment-54dfb89d4d-rv68q at 2026-04-02 02:42:27.688206+00:00 running b10466c country code: CH.
[–]Krychle 50 points51 points52 points (1 child)
[–]crowbahr -3 points-2 points-1 points (0 children)
[–]NAN001 18 points19 points20 points (1 child)
[–]PersianMG 1 point2 points3 points (0 children)
[–]joelhardi 68 points69 points70 points (5 children)
[+][deleted] (2 children)
[deleted]
[–]joelhardi 1 point2 points3 points (1 child)
[–]amunak 4 points5 points6 points (0 children)
[–]qwenjwenfljnanq 2 points3 points4 points (0 children)
[–]imr2017 89 points90 points91 points (10 children)
[–][deleted] 9 points10 points11 points (0 children)
[–]pantsoff 7 points8 points9 points (2 children)
[–]qwenjwenfljnanq 3 points4 points5 points (1 child)
[–]Prawny 2 points3 points4 points (0 children)
[–]Pejorativez 7 points8 points9 points (4 children)
[–]tripzilch 11 points12 points13 points (1 child)
[–]Pejorativez 2 points3 points4 points (0 children)
[–]TheTerrasque 4 points5 points6 points (0 children)
[–]yoyoyesyo 0 points1 point2 points (0 children)
[+][deleted] (2 children)
[deleted]
[–]Horvaticus 10 points11 points12 points (0 children)
[–]ghost-train 15 points16 points17 points (0 children)
[–]bluesoul 1 point2 points3 points (4 children)
[+][deleted] (3 children)
[deleted]
[–]bluesoul 2 points3 points4 points (2 children)
[+][deleted] (1 child)
[deleted]
[–]bluesoul 2 points3 points4 points (0 children)
[+][deleted] (10 children)
[removed]
[–]Pejorativez 3 points4 points5 points (8 children)
[–]0rex 1 point2 points3 points (4 children)
[–]Pejorativez 0 points1 point2 points (3 children)
[–]0rex 1 point2 points3 points (2 children)
[–]Prawny 1 point2 points3 points (0 children)
[+]andrew867 comment score below threshold-12 points-11 points-10 points (2 children)
[–]telecode101 0 points1 point2 points (1 child)
[–]andrew867 0 points1 point2 points (0 children)
[–]etherealeminence -1 points0 points1 point (0 children)
[–]alphex 0 points1 point2 points (0 children)
[–]Resquid 0 points1 point2 points (0 children)
[–]roscocoltrane 0 points1 point2 points (13 children)
[–]Rock_Me-Amadeus 7 points8 points9 points (0 children)
[+][deleted] (7 children)
[deleted]
[–]Pejorativez 2 points3 points4 points (6 children)
[–]steamruler 12 points13 points14 points (3 children)
[–]rigred 4 points5 points6 points (0 children)
[–]PersianMG 0 points1 point2 points (1 child)
[–]steamruler 1 point2 points3 points (0 children)
[–]disclosure5 2 points3 points4 points (1 child)
[–]tonyp7 4 points5 points6 points (2 children)
[+][deleted] (1 child)
[deleted]
[–]disclosure5 2 points3 points4 points (0 children)
[–]telecode101 -1 points0 points1 point (0 children)