WordPress upgrade fixes 'dangerous' flaw

Article

WordPress upgrade fixes 'dangerous' flaw

Bill Brenner, Senior News Writer
Developers of the open source blogging platform WordPress say users should upgrade to version 2.1.2 immediately to address a "dangerous" security hole an attacker recently managed to exploit.

"If you downloaded WordPress 2.1.1 within the past three to four days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately," the developers said in a warning on its

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

WordPress Web site.

The development team said it received a message about unusual and highly exploitable code in WordPress, and an investigation confirmed that an attacker had modified version 2.1.1 from its original code.

"It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file," the advisory said. "We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution."

Although not all downloads of 2.1.1 were affected, the developers said they are declaring the entire version dangerous and have released version 2.1.2, which includes minor updates and entirely verified files. The team is also instituting new preventative measures, "not the least of which is minutely external verification of the download package so we'll know immediately if something goes wrong for any reason," the advisory said. The team has also reset passwords for a number of users with SVN and other access.

The advisory urged users to help find and replace vulnerable versions of the program:

"If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files [and] check out your friends' blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade," the advisory said.