Comments on: Followup on Wordpress Security Issue

By: http://localhost

http://localhost — Tue, 16 Mar 2010 22:56:00 +0000

facilitating hack a vulnerability ?

Ok.. So finally Kim did post about my exploit…. (our communication on the subject has been via email so far). I’m not too sure if it should be termed a “hack” though, just because if the intention was to hack, I could have very …

By: blog.babytux.de » Wordpress 2.0.4

blog.babytux.de » Wordpress 2.0.4 — Tue, 16 Mar 2010 14:31:00 +0000

[...] Technikecke, Wordpress Tags: Blog, WordpressSchon am 29. Juli veröffentlichte das Wordpress-Team eine neue Version der Blog-Software. Heute findet sich dies auch auf Heise als Newsmeldung wieder. Grund dafür ist, daß mit der aktuellen Version auch ein kritisches Sicherheitsloch behoben worden sein soll: Angreifer könnten sich durch die Lücke in verwundbare Systeme hacken, weitere Details sind bislang jedoch nicht bekannt. Vergangene Woche warnte der ehemalige WordPress-Entwickler mit dem Pseudonym “Dr Dave” in seinem Blog vor der Schwachstelle und riet WordPress-Nutzern, die Benutzerregistrierung für Gäste zu deaktivieren. Allerdings gibt auch er keine Details zu dem Fehler bekannt, nicht einmal in einem F.A.Q. zu seiner Warnung. Auf eine Anfrage von heise Security bezüglich des Fehlers antwortete der Hauptentwickler Matt Mullenweg bislang nicht. Quelle: Heise Online [...]

By: Hosting Lmi - Alojamiento web » Bug cr

Hosting Lmi - Alojamiento web » Bug cr — Tue, 16 Mar 2010 09:48:00 +0000

[...] Dr Dave Foolowup on WordPress Security Issue [...]

By: Actualiza tu WordPress de forma urgente - Fernando Gomez

Actualiza tu WordPress de forma urgente - Fernando Gomez — Tue, 16 Mar 2010 00:12:00 +0000

[...] Su utilizasÂ WordPress, te vendrÃa bien saber que ya estÃ¡ disponible la WordPress 2.0.4 y es que se han encontrado mÃ¡s de 50 bugs, pero sobre todo uno de ellos parece ser terriblemente crÃtico. Tanto que sus autores no han querido desvelar exactamente de que se trata, pero instan a correr la voz y a que actualices de forma urgente tu Blog. [...]

By: Squio.blog » Wordpress 2.0.4 security update

Squio.blog » Wordpress 2.0.4 security update — Tue, 16 Mar 2010 16:25:00 +0000

[...] Speaking of which, the discussion around security issues always seems to trigger some hefty debates. Whether to reveal every problem immediately, or to keep it under the hood until a solution exists, or even don’t mention security at all, just make the fixed version available with some vague improvement promises. Well, read this one for yourself here: Dr Dave Â» Followup on Wordpress Security Issue. [...]

By: Kutitots » Blog Archive » WP version 2.0.4 released

Kutitots » Blog Archive » WP version 2.0.4 released — Tue, 16 Mar 2010 13:57:00 +0000

[...] For WP users who don’t read the WP announcements on their Dashboards (or have customized their admin home page entirely like I did for SheeroMedia), you might want to head over the WordPress download section for an update. I don’t normally blog about things like this, but Dr. Dave’s blog post about it made me a bit concerned. Kutitots, Kutitots.Com © 2004-2006 by Gail Dela Cruz. All rights reserved. HAVE SOME SHAME.Don’t copy my flea and layout. Looking for something in particular? [...]

By: Blogging reloaded » Wordpress 2.0.4

Blogging reloaded » Wordpress 2.0.4 — Tue, 16 Mar 2010 13:53:00 +0000

[...] Followup on Wordpress Security Issue [...]

By: rootsvr.de Blog

rootsvr.de Blog — Tue, 16 Mar 2010 13:21:00 +0000

Wordpress Update auf 2.0.4 Sicherheitsfix

Bei der beliebten Blogsoftware Wordpress gibt es mit der Version 2.0.4 diverse kritische LÃ¼cken gestopft und insgesamt 50 Bugs behoben. Das Update sollte so schnell wie mÃ¶glich eingespielt werden.

…

By: rootsvr.de Blog » Blog Archiv » Wordpress Update auf 2.0.4 Sicherheitsfix

Tue, 16 Mar 2010 13:21:00 +0000

[...] Wordpress schliesst mit dem Update auf 2.0.4 diverse SicherheitslÃ¼cken. Dr Dave hat in seinem Blog auf die SicherheitslÃ¼cken aufmerksam gemacht, als workaround sollte man GÃ¤sten das registrieren verbieten, besser aber 2.0.4 installieren: runterladen, drÃ¼berkopieren – fertig! [...]

By: Will

Will — Tue, 16 Mar 2010 11:28:00 +0000

Well, here are all the changes between WP 2.0.3 and WP 2.0.4:

http://trac.wordpress.org/log/branches/2.0?action=stop_on_copy&rev=4066&stop_rev=3826&mode=stop_on_copy

Does NOT include the security fix though does it? I would guess no way!! ???

By: Wordpress Registration Vulnerability an Injection Attack? at FEWL.NET

Wordpress Registration Vulnerability an Injection Attack? at FEWL.NET — Tue, 16 Mar 2010 21:52:00 +0000

[...] This might be a slight follow up to Dr. Dave’s Followup on Wordpress Security Issue. I just woke up after a long flight from Virginia to Tokyo and got to this link via Jem’s site. Details on the vulnerability are sketchy so I thought I’d take a look for myself. The followup post said that the issue is corrected with the Wordpress 2.0.4 upgrade. So I downloaded the newest version and compared it to my current install. I haven’t been looking long, but here’s what I found so far. [...]

By: scaturan

scaturan — Tue, 16 Mar 2010 15:30:00 +0000

thanks Dave!

By: Webrocker » Upgrade auf WP 2.0.4

Webrocker » Upgrade auf WP 2.0.4 — Tue, 16 Mar 2010 10:37:00 +0000

[...] halten, was die Kommentare angeht. Man kann aber auch selbst einen Kommentar verfassen, oder ein Trackback von der eigenen Seite ausmachen. [...]

By: Dead Reckoning » Archive » WordPress Announcements

Dead Reckoning » Archive » WordPress Announcements — Tue, 16 Mar 2010 21:02:00 +0000

[...] This advice comes courtesy of Dr. Dave. He has posted a detailed follow-up to his initial warning which may also be of interest. [...]

By: dr Dave

dr Dave — Tue, 16 Mar 2010 15:47:00 +0000

Regarding people still running 1.5:

Trust me, I am the first one annoyed by this (considering how some of my blogs still happily run 1.5 with little will to upgrade), but it is now time to seriously consider upgrading.

I wished there was a better way, especially considering WP 2.0 comes with its own bunch of issues, bugs and security issues, but it will become increasingly tedious to keep up with all the security fixes and provides 1.5-compatible patches for them. Chiefly thanks to the aforementioned level of transparency and communication around these flaws: it takes skills worthy of a 70’s Eastern European spy to manage and extort clear information from the Powers That Be on every single security flaw that may affect each version of Wordpress.

I for one, will keep user reg disabled on my 1.5 blogs, quickly tweak the most critical bits and look into upgrading to an easier-to-maintain platform (be it WP or other) soon enough. I advise you do the same or your life will be a kafkaesque hell of muddy bug report decrypting and patch maintenance.

By: T. Longren » WordPress 2.0.4 Released

T. Longren » WordPress 2.0.4 Released — Tue, 16 Mar 2010 15:41:00 +0000

[...] I can’t find any documentation stating the user registration vulnerability has been fixed, but Kelson is reporting it has been taken care of in WordPress 2.0.4. I believe this WordPress release was pushed out quickly due to some information revealed by Dr. Dave earlier in the week. [...]

By: dr Dave

dr Dave — Tue, 16 Mar 2010 15:36:00 +0000

Update on the security flaw

The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.

As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).

(*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want ~~investors~~ users to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.

And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.

By: Uncle Che

Uncle Che — Tue, 16 Mar 2010 15:26:00 +0000

Yeah, inquiring minds want to know, does 2.0.4 fix the issue? I had several of my older sites still on 2.0.1 and 2.0.2 so I took the initiative today to upgrade every one of my sites to 2.0.4.

By: Soccer Dad

Soccer Dad — Tue, 16 Mar 2010 14:50:00 +0000

If it was, I don’t see it: http://trac.wordpress.org/query?status=closed&milestone=2.0.4

But obviously only Dr D can say for sure. None of those security fixes seemed like a non priv user exploit. My guess is it was not since 2.0.4 was hitting beta just as Dr D sent his announcement. Just a guess.

By: SicherheitslÃ¼cke in WordPress und 2.0.4 Beta Download — Software Guide

SicherheitslÃ¼cke in WordPress und 2.0.4 Beta Download — Software Guide — Tue, 16 Mar 2010 10:54:00 +0000

[...] Mehr Infos gibt es im Wordpress.de-Forum, beim S-O-S SEO Blog und im Folgebeitrag von Dr. Dave. [...]

By: fh

fh — Tue, 16 Mar 2010 10:45:00 +0000

Dear Dr. Dave, thanks for the announcement – but please, can you clarify if the issue has been fixed in 2.0.4?

By: blog.deobald.org » Blog Archive » Wordpress Security Warning

blog.deobald.org » Blog Archive » Wordpress Security Warning — Tue, 16 Mar 2010 18:36:00 +0000

[...] siehe Dr. Dave (Teil 2). [...]

By: IgnacioMarcos

IgnacioMarcos — Tue, 16 Mar 2010 15:51:00 +0000

Dave,

thanks for the advise!

Have you tried to submit this issue to SECURITYFOCUS or any other CERT? Probably that will propagate it much faster and better.

Ignacio.

By: T. Longren

T. Longren — Tue, 16 Mar 2010 15:50:00 +0000

WordPress Security Issue

Dr. Dave, the dude behind Spam Karma, has issued a warning to all WordPress users. A message popped up on my Spam Karma 2 dashboard warning of a potential security vulnerability in WordPress. Here’s part of the warning:
If you are running Wordp…

By: MP:Blog - Mediaprojekte

MP:Blog - Mediaprojekte — Tue, 16 Mar 2010 14:50:00 +0000

Wordpress Sicherheit – User Registrieren dringend abschalten

Laut Dr. Dave und anderen kann es in allen WordPress Versionen ein Sicherheitsproblem geben, wenn Benutzern das Registrieren erlaubt ist.
Es wird dringend empfohlen das Registrieren für Gäste abzuschalten und sämtliche unbekannte Gast-…