Comments on: Critical Announcement affecting ALL Wordpress users

By: Innovative Discussions » Blog Archive » abcd post to remove

Innovative Discussions » Blog Archive » abcd post to remove — Wed, 10 Mar 2010 21:26:00 +0000

[...] Notre bon docteur Dave, entre autres choses responsables de l’excellent et indispensable plug-in Spam Karma (que votre serviteur préfère à Akismet, en passant) signale une faille de sécurité assez importante pour toutes les versions de WordPress. [...]

By: Easy Does It University » WordPress has drama

Easy Does It University » WordPress has drama — Wed, 10 Mar 2010 09:50:00 +0000

[...] Authors of popular plugins for WordPress such as Dr. Dave (Spam Karma) are discontinuing their association with WordPress because of some baby mama drama jamma damma. I didn’t really read through everyones blogs to see what everyones points of views were (the main WordPress developers vs. outside WordPress developers) but it seemed basically like the outside people were not liking the way Matt (co-creator and owner of WP) was handling things or maybe it’s because WP might be doing some evil stuff on the side. I guess everyone has their share of drama – even the nerds. Posted by Eric on Saturday, September 23, 2006 12:50 am (Possibly) Related Posts: [...]

By: Maria Langer, the Official Web Site* » WordPress Security Alert!

Maria Langer, the Official Web Site* » WordPress Security Alert! — Wed, 10 Mar 2010 03:41:00 +0000

[...] Dr Dave, developer of the must-have spam prevention tool, Spam Karma, sent out the following alert message to all Spam Karma users as an announcement in the Spam Karma administration panel: MAJOR SECURITY ANNOUNCEMENT Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable Wordpress users, but trust me this is not a joke. [...]

By: WordPress Visual QuickStart Guide » Security Alert!

WordPress Visual QuickStart Guide » Security Alert! — Wed, 10 Mar 2010 04:26:00 +0000

[...] Security Alert! Filed under: General Info, Tips & Tricks by Maria on July 26, 2006 Dr Dave, developer of the must-have spam prevention tool, Spam Karma, sent out the following alert message to all Spam Karma users as an announcement in the Spam Karma administration panel: MAJOR SECURITY ANNOUNCEMENT Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable Wordpress users, but trust me this is not a joke. [...]

By: http://localhost

http://localhost — Wed, 10 Mar 2010 22:56:00 +0000

facilitating hack a vulnerability ?

Ok.. So finally Kim did post about my exploit…. (our communication on the subject has been via email so far). I’m not too sure if it should be termed a “hack” though, just because if the intention was to hack, I could have very …

By: Kim Cameron’s Identity Weblog » Wordpress vulnerability at identityblog

Wed, 10 Mar 2010 03:05:00 +0000

[...] The exploit used was described about three weeks ago (July 27th, 2006) when Dr. Dave published his “Critical Announcement affecting ALL Wordpress Users.” All in all, it was a fairly stern warning. I would have upgraded to a newer version of Wordpress but couldn’t because I was travelling: If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). [...]

By: The Blog That Boredom Built

The Blog That Boredom Built — Wed, 10 Mar 2010 12:35:00 +0000

[...] Just passing along some news about WordPress: Critical Announcement to All WordPress Users. I think it only affects users who have open user registration activated. I don’t. Anyway, check it out. [...]

By: Project Syndicate » Blog Archive » Lockdown Friday

Project Syndicate » Blog Archive » Lockdown Friday — Wed, 10 Mar 2010 14:42:00 +0000

[...] I’ve been noodling around with the idea of a Free For All Friday on Slacker Manager, just to see what would show up. I was gonna do it tomorrow, but then I noticed that maybe it’s not such a good idea. Guess we’ll stay on lockdown around here for now. You can still comment, though. [...]

By: Xen Blog » Blog Archive » Wordpress Vulnerability

Xen Blog » Blog Archive » Wordpress Vulnerability — Wed, 10 Mar 2010 02:10:00 +0000

[...] Critical Announcement affecting ALL Wordpress users [...]

By: Залата на Планинския Крал

Залата на Планинския Крал — Wed, 10 Mar 2010 07:48:00 +0000

[...] Източник
Малко повече информация по въпроса [...]

By: wolfgang.lonien.de » Blog Archive » Wordpress vulnerability?

wolfgang.lonien.de » Blog Archive » Wordpress vulnerability? — Wed, 10 Mar 2010 12:31:00 +0000

[...] There could be a vulnerability in Wordpress. First I read about it here (via Planet Debian), then on the OP (original poster)’s blog. [...]

By: INSIDE PCIJ » Blog advisory

INSIDE PCIJ » Blog advisory — Wed, 10 Mar 2010 05:05:00 +0000

[...] WE have reactivated user registration after upgrading to WordPress version 2.0.4 last week. We had to temporarily disable the feature after Dr. Dave, Spam Karma creator, alerted bloggers using WordPress to a potential security issue. The recent upgrade has patched this bug. [...]

By: [zu frueh] pensioniert » Kritische Sicherheitslücke bei Wordpress

[zu frueh] pensioniert » Kritische Sicherheitslücke bei Wordpress — Wed, 10 Mar 2010 17:42:00 +0000

[...] Worum es sich genau handelt will der Entdecker der Lücke mit dem Pseudonym “Dr Dave” noch nicht verraten, allerdings gibt er zumindest einen Hinweis: Wer nicht gleich aktualisieren kann, sollte zumindest fürs Erste die Benutzerregistrierung für GästInnen deaktivieren. [...]

By: Dry the Rain » Blog Archive » Wordpress Security Flaw?

Dry the Rain » Blog Archive » Wordpress Security Flaw? — Wed, 10 Mar 2010 12:05:00 +0000

[...] Allegedly there is some kind of problem with open registration on Wordpress blogs. Better safe than sorry – make sure you’ve turned off the anyone can register option. [...]

By: p e k o l a . n e t » SPAM-hyÃ¶kkÃ¤ys

p e k o l a . n e t » SPAM-hyÃ¶kkÃ¤ys — Wed, 10 Mar 2010 10:56:00 +0000

[...] Pekola.net toimii Wordpress julkaisualustalla ja WordpressistÃ¤ lÃ¶ytyy Akismet spam-suodin, joka poistaa automaattisesti kaikki spam-kommentit ja -viitteet. KÃ¤vin Ã¤sken katsomassa filtterin aikaansaannoksia ja tÃ¤nÃ¤ aamuna Akismet on poistanut satoja kommentteja eli aika massiivinen hyÃ¶kkÃ¤ys. Spam-kommenttien sisÃ¤ltÃ¶ on samaa roskaa, kuin spam-emailienkin eli online kasino-, viagra- ja muita mainoksia. Kai noihin joku aina haksahtaa, koska eihÃ¤n spammin lÃ¤hettÃ¤minen muuten kannattaisi. PÃ¤ivitin pari pÃ¤ivÃ¤Ã¤ sitten Wordpressin uusimpaan 2.0.4 versioon ja tuo pÃ¤ivitys kannattaa kaikkien Wp:n kÃ¤yttÃ¤jien tehdÃ¤ tietoturva-aukon vuoksi. [...]

By: rarmknecht.com › Having Some Fun

rarmknecht.com › Having Some Fun — Wed, 10 Mar 2010 04:26:00 +0000

[...] Updated to the latest Wordpress (v2.0.4) to take care of some security issues and various other bugs. I figured that with the update of code I’d try to freshen up the site with a new theme. Being me, it doesn’t work completely proper with the initial install and is going to require some tweeking. I’ll be working on that over the next couple days. Also, IE7 Beta3 likes to throwup when trying to connect to the site claiming there’s a DNS error even though Firefox works just fine. Yay beta! [...]

By: WordPress 2.0.4 Released | My Webmaster Experience

WordPress 2.0.4 Released | My Webmaster Experience — Wed, 10 Mar 2010 03:44:00 +0000

[...] WordPress 2.0.4, the latest stable release their series, is available for download. This release contains several important security fixes, including the unspecified security issue from Dr. Dave of Spam Karma. [...]

By: De IT y cosas peores » Registro de usuarios deshabilitado

De IT y cosas peores » Registro de usuarios deshabilitado — Wed, 10 Mar 2010 19:03:00 +0000

[...] Se ha deshabilitado temporalmente el registro de usuarios nuevos, hasta que se actualize la instalación de Wordpress. Esto debido a un bug en versiones anteriores del propio Wordpress. [...]

By: Das Voynich-Blog » Blog Archiv » Registrierung momentan nicht mÃ¶glich

Das Voynich-Blog » Blog Archiv » Registrierung momentan nicht mÃ¶glich — Wed, 10 Mar 2010 17:04:00 +0000

[...] Wegen eines kritischen Sicherheitsproblems mit der hier verwendeten Blogsoftware habe ich die Möglichkeit zur offenen Registrierung vorrübergehend abgeschaltet. Da ich im Moment aus verschiedenen Gründen nicht dazu komme, eine neue Version der Software auf dem Server hochzuladen, kann dieser Zustand noch einige Tage bestehen bleiben. Ich werde hier eine kurze Meldung geben, wenn die Registrierung wieder offen ist. [...]

By: Valwit’s » Blog Archive » Huh?!

Valwit’s » Blog Archive » Huh?! — Wed, 10 Mar 2010 15:39:00 +0000

[...] Najwyrazniej jakis paskudny bug w kodzie: http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/ Nawet nie uzywajac trzeba uwazac. Skandal. [...]

By: blog.babytux.de » Wordpress 2.0.4

blog.babytux.de » Wordpress 2.0.4 — Wed, 10 Mar 2010 12:57:00 +0000

[...] Technikecke Tags: Blog, WordpressSchon am 29. Juli veröffentlichte das Wordpress-Team eine neue Version der Blog-Software. Heute findet sich dies auch auf Heise als Newsmeldung wieder. Grund dafür ist, daß mit der aktuellen Version auch ein kritisches Sicherheitsloch behoben worden sein soll: Angreifer könnten sich durch die Lücke in verwundbare Systeme hacken, weitere Details sind bislang jedoch nicht bekannt. Vergangene Woche warnte der ehemalige WordPress-Entwickler mit dem Pseudonym “Dr Dave” in seinem Blog vor der Schwachstelle und riet WordPress-Nutzern, die Benutzerregistrierung für Gäste zu deaktivieren. Allerdings gibt auch er keine Details zu dem Fehler bekannt, nicht einmal in einem F.A.Q. zu seiner Warnung. Auf eine Anfrage von heise Security bezüglich des Fehlers antwortete der Hauptentwickler Matt Mullenweg bislang nicht. Quelle: Heise Online [...]

By: Wordpress se actualiza a 2.0.4 at blooG

Wordpress se actualiza a 2.0.4 at blooG — Wed, 10 Mar 2010 18:03:00 +0000

[...] Una nueva versiÃ³n de Wordpress ha salido para poder ser descargada, en esta versiÃ³n se corrigen mÃ¡s de 50 bugs de la versiÃ³n anterior, incluyendo un grave problema de seguridad anunciado hace pocos dÃas. [...]

By: Dead Reckoning » Archive » WordPress Announcements

Dead Reckoning » Archive » WordPress Announcements — Wed, 10 Mar 2010 21:02:00 +0000

[...] Here’s the deal: unless you are currently running version 2.0.4 it is recommended that you take the following action without delay: [...]

By: dr Dave

dr Dave — Wed, 10 Mar 2010 15:33:00 +0000

Update on the security flaw

The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.

As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).

(*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want ~~investors~~ users to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.

And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.

By: T. Longren » WordPress 2.0.4 Released

T. Longren » WordPress 2.0.4 Released — Wed, 10 Mar 2010 15:23:00 +0000

[...] I can’t find any documentation stating the user registration vulnerability has been fixed, but Kelson is reporting it has been taken care of in WordPress 2.0.4. I believe this WordPress release was pushed out quickly due to some information revealed by Dr. Dave earlier in the week. [...]