Wordpress 2.1.1 Contains Cracker-infused Exploit Code
- By: John Andrews [privmsg - website] On 2nd Mar 2007
Quote:
It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.
Matt warned us this morning without exposing a diff, and as the obvious "how can we push out 2.1.2 if we can't test the codebase in the community" ensued, he posted an explanation on his blog.
If you are one of the unlucky ones who downloaded 2.1.1 this past week, consider these tips from Matt:
Quote:
If you are a web host or network administrator, block access to “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it. If you’re a customer at a web host, you may want to send them a note to let them know about this release and the above information.
- Y! MyWeb
great stuff
I only am responsible for patching what... 20 of these things... this is gonna be a long weekend. I gotta make sure none of them were updated recently with the hacked code.
And, for once ...
I'd upgraded WP to 2.0.9 recently (although that means four upgrades of six blogs in the past couple of months). But I hesitated for some reason on 2.1, so this weekend, I guess, is mine.
Yet another WP Problem
I understand that WP is easy to install, but given their track record, I don't understand all the attention they get. There are plenty of other blogging platforms out there.
There are plenty of other blogging platforms out there.
"There are plenty of other blogging platforms out there."
True, but Wordpress is sort of industry standard... I don't know how else to say it.. Wordpress is generally what people think of when you mention blogging software...
One of the reasons WordPress
One of the reasons WordPress is so popular is that it is immensely configurable, which is not particularly true of some of the other blogging platforms out there.
As well, you can easily install it on your own domain, with your own design (or one of the many free themes out there), your choice of loads of (free or inexpensive donation-ware) plugins, and configure it just about any way you want.
The theme setup means that your "design" is in a separate folder and is untouched by upgrades. You just edit pieces of your theme (header, footer, etc.) and upload; no logging in to control panels and clicking around to edit files (I hate that). This alone was so nice a feature that I pestered my favorite shopping-cart people to do the same thing: separate the themes/designs into html/php files that could simply be edited and uploaded; they're coming out with the new release in a month or so.
And there's loads of help in the wordpress.org forums (where wordpress.org is the home of the free software).
Truth be told, the last upgrade I did took about five minutes per site, so I wasn't exactly complaining.
(Some of) the WordPress folks are also responsible for the wildly successful Akismet.com software that quarantines comment spam in a separate admin page -- something that puts the "fun" back in "blogging" (well, as it were).