search

google-code-export / wordpress-web-service

Automatically exported from code.google.com/p/wordpress-web-service
2 stars 1 forks source link

Access Control #1

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Right now everyone who knows the WSDL url can access all resources
if the `args` argument is correctly set whereas a "normal" blog visitor can't 
access
resources the blog's author didn't intend to publish.

It's easy to simply add username and password to the SOAP operations.
But unfortunately because the connection isn't secure
a malicious attacker could find out login data.

On the other hand a normal WordPress installation is neither requesting a secure
connection when an author wishes to login to the admin area.

Original issue reported on code.google.com by 0x1010...@gmail.com on 28 Jan 2010 at 3:55

GoogleCodeExporter commented 9 years ago

Original comment by 0x1010...@gmail.com on 3 Feb 2010 at 10:18

GoogleCodeExporter commented 9 years ago 
You could encrypt the payload using a shared key.  Then you can safely send it 
over HTTP.

Original comment by dwel...@gmail.com on 7 Oct 2010 at 2:37