Wednesday November 26, 2008

The incidence of Wordpress compromises I wrote of in the spring is still high but the rate of new infections has dropped considerably. A lot of people learned of their blogs' affliction because they were not getting indexed by Technorati. Props to the folks from Google and the Wordpress team for getting the message out too.

Yesterday's release of Wordpress 2.6.5 doesn't target SQL injection or XML-RPC vulnerabilities, this time it's a cross site scripting vulnerability.

The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
read the full post

wordpress   security   technorati   blogging