Critical Announcement affecting ALL Wordpress users
July 26th, 2006 | Filed under WordPressIf you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your Wordpress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
Wordpress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).
Sorry for the shrill hysterical tone, but this is a big deal. However, disable that one option and you are fine, no need to panic further 
[cheers go to Geoff Eby for discovering and bringing this insane security exploit to my attention]
Update: a small follow-up addressing comments and concerns I have received ever since this last warning, is posted here. Feel free to ignore completely unless you really care about inner Wordpress politics (yawn).
Update 2: Wordpress upgrade 2.0.4 should now patch this bug. If your version of Wordpress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).
@ GreyDuck:
For users that are not on the latest version, and don’t have any problems muddling through code, it would be possible to find out the changes from 2.0.3 to 2.0.4, and then look to see if the specific change can be applied to your version.
This is assuming that this issue made it into 2.0.4, since it was all but off the shelf when the issue was brought to their attention.
The best bet is to disable registration for a while, and then see what Geoff and Dr. D have to say about whether it is fixed or not. If it is, then proceed. And good luck.
If 2.0.4 does correct the problem, and you are not completely comfortable with PHP, then your option is upgrading your install, or leaving registration off.
[...] I can’t find any documentation stating the user registration vulnerability has been fixed, but Kelson is reporting it has been taken care of in WordPress 2.0.4. I believe this WordPress release was pushed out quickly due to some information revealed by Dr. Dave earlier in the week. [...]
Update on the security flaw
The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.
As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).
(*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want
investorsusers to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.
[...] Here’s the deal: unless you are currently running version 2.0.4 it is recommended that you take the following action without delay: [...]
[...] Una nueva versión de Wordpress ha salido para poder ser descargada, en esta versión se corrigen más de 50 bugs de la versión anterior, incluyendo un grave problema de seguridad anunciado hace pocos dÃas. [...]
[...] Technikecke Tags: Blog, WordpressSchon am 29. Juli veröffentlichte das Wordpress-Team eine neue Version der Blog-Software. Heute findet sich dies auch auf Heise als Newsmeldung wieder. Grund dafür ist, daß mit der aktuellen Version auch ein kritisches Sicherheitsloch behoben worden sein soll: Angreifer könnten sich durch die Lücke in verwundbare Systeme hacken, weitere Details sind bislang jedoch nicht bekannt. Vergangene Woche warnte der ehemalige WordPress-Entwickler mit dem Pseudonym “Dr Dave” in seinem Blog vor der Schwachstelle und riet WordPress-Nutzern, die Benutzerregistrierung für Gäste zu deaktivieren. Allerdings gibt auch er keine Details zu dem Fehler bekannt, nicht einmal in einem F.A.Q. zu seiner Warnung. Auf eine Anfrage von heise Security bezüglich des Fehlers antwortete der Hauptentwickler Matt Mullenweg bislang nicht. Quelle: Heise Online [...]
[...] Najwyrazniej jakis paskudny bug w kodzie: http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/ Nawet nie uzywajac trzeba uwazac. Skandal. [...]
[...] Wegen eines kritischen Sicherheitsproblems mit der hier verwendeten Blogsoftware habe ich die Möglichkeit zur offenen Registrierung vorrübergehend abgeschaltet. Da ich im Moment aus verschiedenen Gründen nicht dazu komme, eine neue Version der Software auf dem Server hochzuladen, kann dieser Zustand noch einige Tage bestehen bleiben. Ich werde hier eine kurze Meldung geben, wenn die Registrierung wieder offen ist. [...]
[...] Se ha deshabilitado temporalmente el registro de usuarios nuevos, hasta que se actualize la instalación de Wordpress. Esto debido a un bug en versiones anteriores del propio Wordpress. [...]
[...] WordPress 2.0.4, the latest stable release their series, is available for download. This release contains several important security fixes, including the unspecified security issue from Dr. Dave of Spam Karma. [...]
[...] Updated to the latest Wordpress (v2.0.4) to take care of some security issues and various other bugs. I figured that with the update of code I’d try to freshen up the site with a new theme. Being me, it doesn’t work completely proper with the initial install and is going to require some tweeking. I’ll be working on that over the next couple days. Also, IE7 Beta3 likes to throwup when trying to connect to the site claiming there’s a DNS error even though Firefox works just fine. Yay beta! [...]
[...] Pekola.net toimii Wordpress julkaisualustalla ja Wordpressistä löytyy Akismet spam-suodin, joka poistaa automaattisesti kaikki spam-kommentit ja -viitteet. Kävin äsken katsomassa filtterin aikaansaannoksia ja tänä aamuna Akismet on poistanut satoja kommentteja eli aika massiivinen hyökkäys. Spam-kommenttien sisältö on samaa roskaa, kuin spam-emailienkin eli online kasino-, viagra- ja muita mainoksia. Kai noihin joku aina haksahtaa, koska eihän spammin lähettäminen muuten kannattaisi. Päivitin pari päivää sitten Wordpressin uusimpaan 2.0.4 versioon ja tuo päivitys kannattaa kaikkien Wp:n käyttäjien tehdä tietoturva-aukon vuoksi. [...]
[...] Allegedly there is some kind of problem with open registration on Wordpress blogs. Better safe than sorry – make sure you’ve turned off the anyone can register option. [...]
[...] Worum es sich genau handelt will der Entdecker der Lücke mit dem Pseudonym “Dr Dave” noch nicht verraten, allerdings gibt er zumindest einen Hinweis: Wer nicht gleich aktualisieren kann, sollte zumindest fürs Erste die Benutzerregistrierung für GästInnen deaktivieren. [...]
[...] WE have reactivated user registration after upgrading to WordPress version 2.0.4 last week. We had to temporarily disable the feature after Dr. Dave, Spam Karma creator, alerted bloggers using WordPress to a potential security issue. The recent upgrade has patched this bug. [...]
[...] There could be a vulnerability in Wordpress. First I read about it here (via Planet Debian), then on the OP (original poster)’s blog. [...]
[...] Източник
Малко повече информация по въпроса [...]
[...] Critical Announcement affecting ALL Wordpress users [...]
[...] I’ve been noodling around with the idea of a Free For All Friday on Slacker Manager, just to see what would show up. I was gonna do it tomorrow, but then I noticed that maybe it’s not such a good idea. Guess we’ll stay on lockdown around here for now. You can still comment, though. [...]
[...] Just passing along some news about WordPress: Critical Announcement to All WordPress Users. I think it only affects users who have open user registration activated. I don’t. Anyway, check it out. [...]
[...] The exploit used was described about three weeks ago (July 27th, 2006) when Dr. Dave published his “Critical Announcement affecting ALL Wordpress Users.” All in all, it was a fairly stern warning. I would have upgraded to a newer version of Wordpress but couldn’t because I was travelling: If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). [...]
facilitating hack a vulnerability ?
Ok.. So finally Kim did post about my exploit…. (our communication on the subject has been via email so far). I’m not too sure if it should be termed a “hack” though, just because if the intention was to hack, I could have very …
[...] Security Alert! Filed under: General Info, Tips & Tricks by Maria on July 26, 2006 Dr Dave, developer of the must-have spam prevention tool, Spam Karma, sent out the following alert message to all Spam Karma users as an announcement in the Spam Karma administration panel: MAJOR SECURITY ANNOUNCEMENT Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable Wordpress users, but trust me this is not a joke. [...]
[...] Dr Dave, developer of the must-have spam prevention tool, Spam Karma, sent out the following alert message to all Spam Karma users as an announcement in the Spam Karma administration panel: MAJOR SECURITY ANNOUNCEMENT Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable Wordpress users, but trust me this is not a joke. [...]
[...] Authors of popular plugins for WordPress such as Dr. Dave (Spam Karma) are discontinuing their association with WordPress because of some baby mama drama jamma damma. I didn’t really read through everyones blogs to see what everyones points of views were (the main WordPress developers vs. outside WordPress developers) but it seemed basically like the outside people were not liking the way Matt (co-creator and owner of WP) was handling things or maybe it’s because WP might be doing some evil stuff on the side. I guess everyone has their share of drama – even the nerds. Posted by Eric on Saturday, September 23, 2006 12:50 am (Possibly) Related Posts: [...]
[...] Notre bon docteur Dave, entre autres choses responsables de l’excellent et indispensable plug-in Spam Karma (que votre serviteur préfère à Akismet, en passant) signale une faille de sécurité assez importante pour toutes les versions de WordPress. [...]