WordPress.org

Support

Support » How-To and Troubleshooting » New SQL Injection vulnerability?

New SQL Injection vulnerability?

Viewing 15 replies - 1 through 15 (of 41 total)
  • TechGnome
    Moderator

    @techgnome

    Well, I guess that solves a problem for me….

    A shame really.

    -tg

    Mark (podz)
    Support Maven

    @podz

    Crap.
    Please can this be patched against ?

    Edit:
    If you are using 1.5.2, backup your database.
    Frequently.

    TechGnome
    Moderator

    @techgnome

    Comment #10 on the bug page: http://bugs.gentoo.org/show_bug.cgi?id=121661
    reads as follows:

    ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through security@wordpress.org and discussed the bug with him. His comments were:

    “1.5.2 has several security bugs that are fixed by 2.0.x, including this one. 1.5.2 is pretty much unmaintained now. We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1.
    We hadn’t planned on backporting anything to 1.5.2.”

    So it’s OK to release with me.

    So that sounds like a “uh, no.” to me…..

    Like I said, it just made a decision easier for me.

    -tg

    And wasn’t it of course only a matter of time anyway….

    Poop. Good thing I’ve been getting familiar with 2.0.1 – *sigh*

    Even though I’m the queen of redundant backups, I’m not gonna mess with trying to stay with 1.5.2 I guess.

    the fix for that.. rather “how” to fix is on trac. Podz, I think youre the one that linked to the changed files in another thread..

    compare the comment-functions.php’s:

    2.0.* :

    function wp_filter_comment($commentdata) {….

    $commentdata[‘comment_agent’] = apply_filters(‘pre_comment_user_agent’, $commentdata[‘comment_agent’]);

    .. and so on..

    kses.php was the other file that changed as well if I remem. correctly.

    (nice that I moderate everything)

    Mark (podz)
    Support Maven

    @podz

    vkaryl – “And wasn’t it of course only a matter of time anyway…”

    so 2.0.2 will be insecure by definition ?

    I think everything is “insecure by definition” simply because there’s a whole world of idiots out there who spend their lives digging to find exploitable areas.

    Be nice to be wrong.

    this is actually old …see #5

    oops, I guess a link is needed.

    http://www.frsirt.com/english/advisories/2005/0925

    Hi,

    do I understand correctly that moderated comments are not touched by that problem?

    LHK

    thats what I read. shall we try it? I have a ua switcher extension installed 🙂 fwiw, I cant even view my site WITH a ` in my u-a (go figure, cookies)

    whooami, am I to understand from what you said above that 1.5.x can be patched at least temporarily? I have not the time nor the patience right now to do a complete upgrade on my own blog and deal with the resulting fallout from the buggy 2.0.1. Bad enough I have to CLEAR EVERY DAMN THING in my client layouts right now just to get that bad b&tch to render them right (whereas 1.5.x doesn’t need any of it.) *grumbles about hackers, bugs, and life in general*

    LOL whooami,

    you’re way above my head 😉

    I’m just wondering whether I still have some time before I need to update other blogs I also maintain which still are on 1.5.2. Comments usually are – as per definition – set to moderated for blgsites I set up for people, because it’s not really spam they need to guard against, rather competitor nastiness.

    After seeing quite a few problems people have here with updating, I want to sandbox all the updates first and had hoped to be able to do that at leisure.

    LHK

    Mark (podz)
    Support Maven

    @podz

    Do NOT upgrade to 2.0.1 !!
    You’ll have to then upgrade to 2.0.2

    Wait. Hopefully the dev blog will have something. Soon.

    Hey, that’s nice (sarcasm should be assumed there)…. what’s happened to my tester’s list emails that should have info about this? I only got one digest yesterday, nothing so far today….

    Last thing I read, 2.0.2 was still on hold. Sheesh.

    Hi Podz,

    and why is it such a horror to upgrade to 2.0.2 from 2.0.1? *scratching my head*

    LHK

Viewing 15 replies - 1 through 15 (of 41 total)
  • The topic ‘New SQL Injection vulnerability?’ is closed to new replies.