WordPress 1.5.1.3 Security Vulnerability



According to the entry for WordPress 1.x at Secunia.com, there is a “Highly critical” WordPress vulnerability announced August 10th that affects all 1.x versions including 1.5.1.3 The details are in this advisory. There is not yet an updated version of WordPress to address the issue, but there is a possible workaround.



According to the writeup, input passed to the “cache_lastpostdate” parameter via cookies is not “properly sanitized” before being processed. This allows arbitrary php code to be inserted. The advisory notes that in order to be successfuly exploited register_globals needs to be enabled.

If you want a workaround then it sounds like disabling register_globals is the way to go. From what I can see there are a lot of headaches removed with register_globals set to off.

Since I’m on a VPS, I have access to my php.ini file which let’s me fix this. Here’s how I dealt with it.

Edit php.ini, (usually in /etc/php.ini ) look for a line like this…

register_globals = On

Disabling it should be as simple as

register_globals = Off

save the file and I restarted apache (I’m not certain that is required to reload the php.ini, you might do it just in case, I did.)

I haven’t seen any impact (yet) on the scripts here, from what I read it’s good coding practice to not rely on register_globals being on because it can open you up to some nasty code injection vulnerabilities. I think the default distribution of php now has it disabled.

Related Posts

Blog Traffic Exchange Related Posts
  • BBPress 0.9x | Wordpress compatible forum software As you know I've used wordpress as a platform for many of my sites. It makes updating and adding information so quick and easy (as well as great extensions available for it and good theme possibilities.) Anyway, I've wanted forum functionality on a few sites as well and so I......
  • Asheville based Web Design, VPS Hosting and SEO Services [/caption] Change is constant. The last couple of years I have been doing less onsite computer service. Health has been one large reason for that. I have been focusing on other things though. One of the things that I've been working on is now going live. I've redesigned my web......
  • More on Wordpress 2.0 I'm finding a bit more about the upcoming Wordpress 2.0 release. I haven't had time to test the RC in the 5 minutes since the last post, but I have been able to read a few sites. It looks like most of the big changes are "under the hood", which......
Blog Traffic Exchange Related Websites
  • The Web Hosting Services Of The Hostgator Review Thousands and thousands of web hosts scattered around the world and their business aim is simple - to get recognized and make profit. With so much noise around the web hosting industry, it is a tough task for us to pick up the right hosting. Nevertheless, it's not too hard......
  • How To Find Cheap Web Hosting Service For Your Blog After you create your first web site or blog it’s time to get it hosted so that people  can find it on the web. First time web host seekers often  fall into the trap of a bad web host company. There are numbers of factors to consider other than price.......
  • Templates For E-Commerce Web Hosting Developing a expert website may be difficult. E-commerce internet style is truly a complex animal. To cut development time, numerous web hosting organizations start offering web hosting templates or hosting with templates. Whether or not you are looking for a easy internet website or a functional e-commerce website, the chances......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site