Go Back   Computer Forums > Welcome To Computer Forums .org > Social Lounge | Off Topic
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 03-02-2007, 08:53 PM   #1
Golden Master
 
Join Date: Apr 2006
Posts: 7,534
Default All you wordpress users!!!

http://wordpress.org/development/2007/03/upgrade-212/

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.



It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason.

Finally, we reset passwords for a number of users with SVN and other access, so you may need to reset your password on the forums before you can login again.

What You Can Do to Help

If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. Check out your friends blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade.

If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it. If you’re a customer at a web host, you may want to send them a note to let them know about this release and the above information.

Thanks to Ryan, Barry, Donncha, Mark, Michael, and Dougal for working through the night to figure out and address this problem, and thanks to Ivan Fratric for reporting it in the first place.

Questions and Answers

Because of the highly unusual nature of this event and release, we’ve set up an email address 21securityfaq@wordpress.org that you can email questions to, and we’ll be updating this entry with more information throughout the day.

Is version 2.0 affected?

No downloads were altered except 2.1.1, so if you’ve downloaded any version of 2.0 you should be fine.

What if we update from SVN?

Nothing in the Subversion repository was touched, so if you upgrade and maintain your blog via SVN there is no chance you downloaded the corrupted release file.
__________________

LA061 is offline   Reply With Quote
Old 03-02-2007, 08:55 PM   #2
Golden Master
 
freestyler105's Avatar
 
Join Date: Sep 2006
Posts: 7,883
Default Re: All you wordpress users!!!

So...it's like a blog software??

Even though I don't approve, I've gotta give props to that hacker, exploiting a major site like that!
__________________

__________________
C2D E6600 | 4GB DDR2-800 | 9800GTX+ | Asus P5B-E | 150GB Raptor | 320GB 7200.10 | 750W Xigmatek PSU
freestyler105 is offline   Reply With Quote
Old 03-03-2007, 01:45 PM   #3
Beta Member
 
Join Date: Mar 2007
Posts: 2
Default Re: All you wordpress users!!!

Thanks le!

I have no Wordpress at host at the minute still waiting for the domain to resolve. I have a Wordpress at Wordpress.com they do everything from their end unless you buy credits for the CSS

Diddydum66 is offline   Reply With Quote
Old 03-03-2007, 01:46 PM   #4
Fully Optimized
 
^Mike^'s Avatar
 
Join Date: Oct 2005
Posts: 2,958
Send a message via ICQ to ^Mike^ Send a message via AIM to ^Mike^ Send a message via MSN to ^Mike^ Send a message via Yahoo to ^Mike^
Default Re: All you wordpress users!!!

Yeah already got patched
^Mike^ is offline   Reply With Quote
Old 03-03-2007, 04:41 PM   #5
Golden Master
 
Join Date: Apr 2006
Posts: 7,534
Default Re: All you wordpress users!!!

Quote:
Originally Posted by freestyler105
So...it's like a blog software??

Even though I don't approve, I've gotta give props to that hacker, exploiting a major site like that!
Yeah, it's a blogging script. Kinda like vBulletin is the script that this forum uses.
LA061 is offline   Reply With Quote
Old 03-03-2007, 04:58 PM   #6
Golden Master
 
freestyler105's Avatar
 
Join Date: Sep 2006
Posts: 7,883
Default Re: All you wordpress users!!!

Quote:
Originally Posted by Le GoogelGuRu
Yeah, it's a blogging script. Kinda like vBulletin is the script that this forum uses.
Yeah, I was fiddling around with it last night. Pretty cool.
__________________

__________________
C2D E6600 | 4GB DDR2-800 | 9800GTX+ | Asus P5B-E | 150GB Raptor | 320GB 7200.10 | 750W Xigmatek PSU
freestyler105 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 08:00 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0