WordPress 1.5.1.3 Security Vulnerability
According to the entry for WordPress 1.x at Secunia.com, there is a “Highly critical” WordPress vulnerability announced August 10th that affects all 1.x versions including 1.5.1.3 The details are in this advisory. There is not yet an updated version of WordPress to address the issue, but there is a possible workaround.
According to the writeup, input passed to the “cache_lastpostdate” parameter via cookies is not “properly sanitized” before being processed. This allows arbitrary php code to be inserted. The advisory notes that in order to be successfuly exploited register_globals needs to be enabled.
If you want a workaround then it sounds like disabling register_globals is the way to go. From what I can see there are a lot of headaches removed with register_globals set to off.
Since I’m on a VPS, I have access to my php.ini file which let’s me fix this. Here’s how I dealt with it.
Edit php.ini, (usually in /etc/php.ini ) look for a line like this…
register_globals = On
Disabling it should be as simple as
register_globals = Off
save the file and I restarted apache (I’m not certain that is required to reload the php.ini, you might do it just in case, I did.)
I haven’t seen any impact (yet) on the scripts here, from what I read it’s good coding practice to not rely on register_globals being on because it can open you up to some nasty code injection vulnerabilities. I think the default distribution of php now has it disabled.
Popularity: 1% [?]
Related Posts - Wordpress 2.0 getting close I see in the dashboard that the third and (last?) release candidate for Wordpress 2.0 is officially out. There is word that the final may come Wednesday or Thursday of this week. I haven't had much time to see what features may be new... but if possible I may try......
- The check's in the mail Of course, there was a time when delivery of many things relied heavily on the US Postal Service and the blame of a delay could be passed along. I saw an article lately about people using technology to do tricks like that, turning back the clock on their computer before......
- The junk that you will find in web access logs If you have a website, you likely will look at your logs from time to time to see just who or how many people are visiting your site. I've certainly looked at a lot of logfiles both for my site and for others and thought I'd pass along some things......
Related Websites - How To Find Inexpensive Web Hosting There are many reasons that you might decided you would like to have web hosting. If you feel that you want to have a web site, the first thing that you need to do is find yourself some web hosting. There are many ways that you can find this without......
- Templates For E-Commerce Web Hosting Developing a expert website may be difficult. E-commerce internet style is truly a complex animal. To cut development time, numerous web hosting organizations start offering web hosting templates or hosting with templates. Whether or not you are looking for a easy internet website or a functional e-commerce website, the chances......
- 10 Benefits of Hosting your Own Blog If you want to create an edge over many of the other bloggers on the web, then one of the best things that you can do is host your own blog. There are a number of benefits of hosting your own blog over having some other service host your blog.......
Similar Posts
- Opengroupware install on Ubuntu 6.06 Dapper Drake
- Firefox 1.5 vulnerability
- Microsoft Issues advisory on Powerpoint flaw
- More details on php exploit from last week
- BBpress integration with WordPress