WordPress upgrade fixes 'dangerous' flaw

By Bill Brenner, Senior News Writer 05 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

"If you downloaded WordPress 2.1.1 within the past three to four days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately," the developers said in a warning on its WordPress Web site.

The development team said it received a message about unusual and highly exploitable code in WordPress, and an investigation confirmed that an attacker had modified version 2.1.1 from its original code.

"It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file," the advisory said. "We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution."

Although not all downloads of 2.1.1 were affected, the developers said they are declaring the entire version dangerous and have released version 2.1.2, which includes minor updates and entirely verified files. The team is also instituting new preventative measures, "not the least of which is minutely external verification of the download package so we'll know immediately if something goes wrong for any reason," the advisory said. The team has also reset passwords for a number of users with SVN and other access.

The advisory urged users to help find and replace vulnerable versions of the program:

"If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files [and] check out your friends' blogs and if any of them are running 2.1.1 drop them a note and, if you can, pitch in and help them with the upgrade," the advisory said.

Tags: Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary