Title: 2.0.7 security vulnerability – patch soon? Last modified: August 18, 2016 --- # 2.0.7 security vulnerability – patch soon? * [solutionsphp](https://wordpress.org/support/users/solutionsphp/) * (@solutionsphp) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/) * I received a report that 2.0.7 has a security vulnerability. 2.1 is fixed but requires MySQL 4 which is not available for all the WP sites I need to upgrade. Is there going to be a 2.0.8 patch release soon? * Advisory: Multiple Remote Vulnerabilities in WordPress Advisory ID: 4tphi-sa- 20070111-wordpress Release Date: 01-24-2007 Author: Blake Matheny (bmatheny@mobocracy. net) Software: WordPress < 2.1 Impact: Remote & Local DoS, File Disclosure * Overview: Multiple vulnerabilities exist in the XMLRPC and Pingback implementation that are included with WordPress. Note that some issues discovered with Pingback affect other vendors as well. Viewing 15 replies - 1 through 15 (of 16 total) 1 [2](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/page/2/?output_format=md) [→](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/page/2/?output_format=md) * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511039) * It looks like it’s a simple patch, you could probably do it yourself. * More info and the patch details are here: [http://www.securityfocus.com/archive/1/458003/30/30/threaded](http://www.securityfocus.com/archive/1/458003/30/30/threaded) * Thread Starter [solutionsphp](https://wordpress.org/support/users/solutionsphp/) * (@solutionsphp) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511078) * Thanks Otto42! Sorry to be daft, but I’m a little less comfortable on the command line than I am with an IDE. How is this patch applied? Does the PLUS sign indicate lines of code that are added? It looks like there is no code removed, just added, correct? * `function wp_remote_fopen( $uri ) { + $timeout = 10; + $parsed_url = @parse_url( $uri); + if ( !$parsed_url || !is_array($parsed_url) ) + { + return false; + } + if ( !isset($parsed_url['scheme']) || + !in_array($parsed['scheme'], array(' http','https')) ) + { + $uri = 'http://' . $uri; + } if ( ini_get('allow_url_fopen')){ $fp = @fopen( $uri, 'r' ); if ( !$fp ) return false; + stream_set_timeout($fp, $timeout); $linea = ''; while( $remote_read = fread($fp, 4096) ) $linea .= $remote_read; @@ -2200,8 +2212,11 @@ curl_setopt ($handle, CURLOPT_URL, $uri); curl_setopt ( $handle, CURLOPT_CONNECTTIMEOUT, 1); curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1); + curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout); $buffer = curl_exec($ handle); curl_close($handle); + if ( !preg_match('/.*text/.*/', curl_getinfo( $handle, CURLINFO_CONTENT_TYPE)) ) + return ''; return $buffer; } else { return false; * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511093) * Yes, the + indicates adding a new line of code. * The bit where it says `@@ -2200,8 +2212,11 @@` means that you should skip ahead to line 2200 (in the original file) or line 2212 (in the new file) to continue adding your lines and such. * The lines with no + or – or ! in front of them are unchanged, and just given as reference points. * An easier way would be to use the command line program called “patch” which can read that format and do the work for you. * Thread Starter [solutionsphp](https://wordpress.org/support/users/solutionsphp/) * (@solutionsphp) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511109) * Thanks for your help! Patching on the command line turned out to be a snap. For those who remain less adventurous, I have posted the patched functions.php file for download here: [http://www.stevensmedia.com/blog/?p=115](http://www.stevensmedia.com/blog/?p=115) * [jonimueller](https://wordpress.org/support/users/jonimueller/) * (@jonimueller) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511121) * I tried applying the patch that **solutionsphp** was kind enough to provide and I get this error when I attempt to either edit a page or post or access the Links Manager: * ` Fatal error: Call to undefined function: attribute_escape() in /home/pixelit/ public_html/wp-includes/functions.php on line 2380 * I’m not about to subject myself to further grief by upgrading to WP 2.1 while it’s still in the state it’s in. * Any other solutions? * [theposterpreviouslyknownas](https://wordpress.org/support/users/theposterpreviouslyknownas/) * (@theposterpreviouslyknownas) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511122) * attribute_escape() was introduced in 2.0.6, are you not upgraded to atleast 2.0.6? * Indeed you are not if the site in your profile is any indication. * >>I’m not about to subject myself to further grief by upgrading to WP 2.1 while it’s still in the state it’s in. * then upgrade to 2.0.7 * follow the standard upgrade procedure to go from 2.0.4 > 2.0.6 then upload the couple new files that make up 2.0.7, then make the neccessary changes for that little hole. * piece of cake 🙂 * [DianeV](https://wordpress.org/support/users/dianev/) * (@dianev) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511123) * Yes, but the SecurityFocus article linked to above references this: * Software: WordPress < 2.1 * [theposterpreviouslyknownas](https://wordpress.org/support/users/theposterpreviouslyknownas/) * (@theposterpreviouslyknownas) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511124) * I am running 2.0.7. THIS is what I did. * I took the same function that exists within 2.1 (ITS FIXED) and replaced the old fucntion. It works fine. * YOU DO NOT NEED TO RUN 2.1 TO FIX THAT HOLE. * This is the fucnction taken right out of 2.1, and it works perfectly within 2.0.7: * ` function wp_remote_fopen( $uri ) { $timeout = 10; $parsed_url = @parse_url( $uri); if ( !$parsed_url || !is_array($parsed_url) ) return false; if ( !isset( $parsed_url['scheme']) || !in_array($parsed_url['scheme'], array('http','https'))) $uri = 'http://' . $uri; if ( ini_get('allow_url_fopen') ) { $fp = @fopen( $uri,' r' ); if ( !$fp ) return false; stream_set_timeout($fp, $timeout); // Requires php 4.3 $linea = ''; while( $remote_read = fread($fp, 4096) ) $linea .= $remote_read; fclose($fp); return $linea; } else if ( function_exists('curl_init') ) { $handle = curl_init(); curl_setopt ($handle, CURLOPT_URL, $uri); curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1); curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout); $buffer = curl_exec($handle); curl_close($handle); return $buffer; } else { return false; } } * Its just fixed, it doesnt use any special additons from 2.1 and it would be nice if ppl gave decent advice instead of “working” to get ppl to upgrade to something they dont need to. * Im not neccessarily talking about you diane, btw, about the “working” thing, I just think ppl dont realize that they dont have to run that blasted bug ridden 2.1 * [DianeV](https://wordpress.org/support/users/dianev/) * (@dianev) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511125) * Hm. I’m getting “error establishing a database connection” at the stevensmedia link. * So … what? Is this just a matter of adding the SecurityFocus code to functions. php? * Thread Starter [solutionsphp](https://wordpress.org/support/users/solutionsphp/) * (@solutionsphp) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511131) * Sorry about the downtime… my host was doing some server maintenance and MySQL didn’t come back online properly. No rest for the wicked! * I can’t replicate the errors that jonimueller is experiencing… when you upgraded to 2.0.7 did you *delete* files from the server or overwrite them? Overwriting doesn’t always work in my experience. * [jonimueller](https://wordpress.org/support/users/jonimueller/) * (@jonimueller) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511163) * I upgraded my various WP sites (running anything from 2.0.1 to 2.0.5) to 2.0.7 in one fell swoop (as a matter of practice I backup the *.sql file, disable the plugins and nuke the /wp-includes and /wp-admin folders and all *.php files except wp-config.php before uploading upgrade files). * Once that was done and working fine, I then applied the patched functions.php file as kindly provided above and all is well. Thanks everyone. * J * Thread Starter [solutionsphp](https://wordpress.org/support/users/solutionsphp/) * (@solutionsphp) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511169) * Yay, glad to hear it’s working for you! Thanks for reporting back. * [yumadoug](https://wordpress.org/support/users/yumadoug/) * (@yumadoug) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511199) * >>I’m not about to subject myself to further grief by upgrading to WP 2.1 while it’s still in the state it’s in. * I tried 2.1, too. Very slow in the post editor and switching between visual and code tabs very slow, code does not show some tags. In short, I prefer 2.0.5 ( sorry to criticize… I do appreciate the hard work, but I’ll wait for a few 2.1 releases). * >>then upgrade to 2.0.7 * >>follow the standard upgrade procedure to go from 2.0.4 > >>2.0.6 then upload the couple new files that make up >>2.0.7, then make the neccessary changes for that little >>hole. * I’d like to wait for the 2.0.7 fix in the stable release of 2.0.8 (now RC1); will I need to upgrade to 2.0.6, then 2.0.7, then 2.0.8? I was thinking I could just upgrade from 5 to 8, but is that wrong? * Or would you guys recommend not waiting for 2.0.8? * Thanks!!! * [moshu](https://wordpress.org/support/users/moshu/) * (@moshu) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511200) * Most likekly you’ll be able to go from 2.0.5 to 2.0.8… at least that was the case with the other minor upgrades (2.0.x -> to 2.0.7) * [yumadoug](https://wordpress.org/support/users/yumadoug/) * (@yumadoug) * [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/#post-511202) * “Most likely”? I was assuming so too, but I can’t find anything in the forum to confirm it and the posts in this topic give me doubts. Can you confirm it? Thanks!!! Viewing 15 replies - 1 through 15 (of 16 total) 1 [2](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/page/2/?output_format=md) [→](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/page/2/?output_format=md) The topic ‘2.0.7 security vulnerability – patch soon?’ is closed to new replies. * In: [Requests and Feedback](https://wordpress.org/support/forum/requests-and-feedback/) * 16 replies * 7 participants * Last reply from: [moshu](https://wordpress.org/support/users/moshu/) * Last activity: [19 years, 3 months ago](https://wordpress.org/support/topic/207-security-vulnerability-patch-soon/page/2/#post-511203) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics