Mar

3

WordPress 2.11 Dangerous!

March 3, 2007 in WordPress

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days (like I did), your files may include a security exploit that was added by a hacker, and you should upgrade all of your files to 2.1.2 immediately.

Short story long: This morning WordPress received a note to their security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. They took the website down immediately to investigate what happened.

It was determined that a hacker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. They have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now they’re dealing with it as best they can. Although not all downloads of 2.1.1 were affected, they’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. They are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason.

What You Can Do to Help

If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. Check out your friends blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade.

If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it. If you’re a customer at a web host, you may want to send them a note to let them know about this release and the above information.

Tags: , , , ,
These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Technorati
  • del.icio.us
  • YahooMyWeb
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • blogmarks
  • De.lirio.us
  • Fark
  • Slashdot
  • Spurl
  • StumbleUpon
  • Netscape
  • Reddit
  • Fleck
  • Furl
  • Simpy
  • co.mments
  • Taggly

Comments

2 Comments so far

  1. Gunga Dan on March 7, 2007 5:44 pm

    Open source does have its drawbacks at times!

  2. Franco on March 28, 2007 2:53 am

    Hi there!

    Thanks for the alert… I could’ve… umm… got cracked.

Name (required)

Email (required)

Website

Speak your mind

Subscribe Today!

Want More Tips?


Subscribe Today!

Like what you see? (Sheesh! You're easy to please!) Then subscribe to my list and get all this and more!

First Name:

Last Name:

E-mail Address:

I respect your privacy and probably hate SPAM even more than you. Your name and email will never be traded or sold.

Highly Recommended

  • SEO Backlinks—how to consistently average over 15,000 visitors to your websites per day.
  • Domain Manager—trouble being a master of all your domains?
  • Traffic Words—discover a website traffic machine that generates visitors for weeks, months or even years without spending a dime.
  • Discover Secret Keywords—find the exact words to earn an extra $8,265 from Google Adwords.
  • Generate Unique Articles—improve the effectiveness of your website promotion by over 1875% while saving valuable time—guaranteed!
  • Spank Your Competition—this top secret underground tracking and testing tool helps improves your existing site by 100%!
  • Make Sense of Adsense—discover this step-by-step blueprint for making $19,156 per month.
  • Push Button Headlines—test and create high-converting headlines with the push of a button.