WordPress.org

Ready to get started?Download WordPress

Forums

SecuriTeam reports a flaw in 1.5.1.3 (6 posts)

  1. vsa
    Member
    Posted 8 years ago #

    As you can read [ MOD: LINK REMOVED ] Securiteam says that WordPress version 1.5.1.3 and prior (with register_globals) are Vulnerable Systems.

    It says also that WordPress version 1.5.1.4 or newer are Immune Systems.

    Can anyone shed some light over this subject?
    thanks

  2. Yngwin
    Member
    Posted 8 years ago #

    Can't shed much light here, except that you should never use register_globals anyway (that's a PHP configuration option). Also I haven't seen any 1.5.1.4 or did I miss something?

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    This got old a few days ago. It's been reported here several times - the full answers are elsewhere, but Yngwin has the short answer.

  4. skippy
    Member
    Posted 8 years ago #

    It's generally bad form to post exploit code. Had you searched the forums, you could have easily found this comment on this post:

    For various reasons, the core WordPress developers (that is, Ryan and Matt) do not discuss WordPress exploits until a patch is available, and a release plan is in place.

    The vitriol about unpatched vulnerabilities is mis-placed. Matt and Ryan have an obligation to make sure that the problems they fix do not cause more trouble. We experienced this with 1.5.1.2, which was released to fix a problem, and ended up introducing additional problems.

    And as I said, it involves more than just patching. The patches need to be sufficiently tested. The upgrade process needs to be supported by the volunteers here. Simply releasing a new version, and saying "here you go!" would do more harm than good.

    I'm not thrilled about the existence of security vulnerabilities; but it's a fact of life that they'll always be present. WordPress is an increasingly complex piece of software, and although Matt and Ryan make an effort to be security conscious in their coding, they are after all human beings. We all make mistakes; we all have bad days; we all overlook some things.

    You can help, rather than complain.

    Every single reader here is invited to participate in WordPress' development. If you notice problems, please log them at trac.wordpress.org. If you discover a severe vulnerability, email security@wordpress.org. The Open Source mantra is "With many eyes, all bugs are small." By working together, we can squash bugs and make sure that WordPress is as secure as it can be.

  5. vsa
    Member
    Posted 8 years ago #

    To Skippy:
    I should not have linked directly to the Securiteam site. You're right.

    But:
    Had you searched the forums, you could have easily found this comment on this post
    Wrong. I did searched the forum. I did went to check some wp blogs. I did went to google it. The problem was that there was no mention to Securiteam in that post.

    You can help, rather than complain
    I, and many others WP users just wanted to know if the devs were aware of this flaw and if there was a 1.5.1.4 version. This seems quite clear in my text.
    I was not complaining about anything.

  6. The Devs were aware of this problem. That's why they released v1.5.2 yesterday. Upgrade ASAP!

Topic Closed

This topic has been closed to new replies.

About this Topic