Recent Version Even Vulnerable? o.O
June 20th, 2007 at 5:51 pm (Miscellaneous)
… and I thought I was being kind of paranoia. Heh.
From maestro:
I have just learned of a very serious security hole in Word Press that affects all versions (including the most recent). This security hole allows ANY registered user to gain Admin privileges, which allows them to do anything they want to your blog, including deleting all your content, posting spam posts, etc. To close this hole until a new version is released (v 2.2.1 should be out soon and fixes the problem) you will need to disable new user registration on your blogs.
I’ll send out another E-mail once we’re ready to do upgrades after the new version is out letting everyone know the process for requesting their Word Press be upgraded to the new version. For those curious about the technical details of the security hole, read on. For the technically inclined peeps:
This security hole allows for Remote SQL Injection. SQL Injections allows an attacker to insert new data, or modify existing data, in the database of the blog. Basically this gives them full control, as having access to the database trumps anything else. The exploit is not just academic, at least one blog has been attacked with it so far.I already did my part. How about yours?
Seth said,
June 21, 2007 at 6:27 am
Thanks for heads-up, though I’m pretty sure I already have user-reg disabled. That is really sad. SQL injection attacks are not even hard to perform; that’s a massive hole.
Ronin AnimeLover said,
June 21, 2007 at 4:21 pm
No problem, Seth. It’s part of my obligation to the community. Glad I could be of some help, even if it’s a little.
Adalmin said,
June 26, 2007 at 12:12 am
OMG You linked me! I must link you back! But you don’t have a link banner! Never mind, I shall doodle one up!
Ronin AnimeLover said,
June 26, 2007 at 11:04 pm
Adalmin Said:Feel free, my friend. And please, no lolis in it. lol.