WordPress 1.5.1.3 Security Vulnerability



According to the entry for WordPress 1.x at Secunia.com, there is a “Highly critical” WordPress vulnerability announced August 10th that affects all 1.x versions including 1.5.1.3 The details are in this advisory. There is not yet an updated version of WordPress to address the issue, but there is a possible workaround.



According to the writeup, input passed to the “cache_lastpostdate” parameter via cookies is not “properly sanitized” before being processed. This allows arbitrary php code to be inserted. The advisory notes that in order to be successfuly exploited register_globals needs to be enabled.

If you want a workaround then it sounds like disabling register_globals is the way to go. From what I can see there are a lot of headaches removed with register_globals set to off.

Since I’m on a VPS, I have access to my php.ini file which let’s me fix this. Here’s how I dealt with it.

Edit php.ini, (usually in /etc/php.ini ) look for a line like this…

register_globals = On

Disabling it should be as simple as

register_globals = Off

save the file and I restarted apache (I’m not certain that is required to reload the php.ini, you might do it just in case, I did.)

I haven’t seen any impact (yet) on the scripts here, from what I read it’s good coding practice to not rely on register_globals being on because it can open you up to some nasty code injection vulnerabilities. I think the default distribution of php now has it disabled.

Related Posts

Blog Traffic Exchange Related Posts
  • Wordpress Stats plugin not updating - fix There are a lot of good things to like about the newer versions of wordpress. It seems to keep getting better. One of the really cool plugins is the Wordpress.com stats plugin. This lets you have a nice simple stats interface accessible from your Dashboard on your wordpress blog. (It......
  • Wordpress 2.0 getting close I see in the dashboard that the third and (last?) release candidate for Wordpress 2.0 is officially out. There is word that the final may come Wednesday or Thursday of this week. I haven't had much time to see what features may be new... but if possible I may try......
  • Asheville based Web Design, VPS Hosting and SEO Services [/caption] Change is constant. The last couple of years I have been doing less onsite computer service. Health has been one large reason for that. I have been focusing on other things though. One of the things that I've been working on is now going live. I've redesigned my web......
Blog Traffic Exchange Related Websites
  • Why We Have To Switch To Cloud Web Host: Why we must switch to Cloud Web host: Cloud hosting as explained in Wikipedia is a service that does not need knowledge among the consumers, we might not really know it, but we are actually enjoying the benefits of cloud hosting as Google searches are running within a cloud of......
  • UK Web Hosting: Discount Code UK Web hosting is something I get asked about a lot. Small business owners often ask me which hosting company I use and if they are based in the UK. My answer is… yes they are based in the UK and they are called Birch Hosting. If you want......
  • BounceWeb Premium Green and FFmpeg Web Hosting document.write(''); Looking for FFMPEG Hosting? FFmpeg web hosting or FFmpeg Hosting is hosting made for media streaming and video sharing. FFmpeg converts different types of videos to the .flv video format to stream the video online on your FFmpeg hosted web site. BounceWeb's FFmpeg web hosting allows you to......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site