[Security] WordPress PHP Code Injection Vulnerability (4 posts)

  1. BOK
    Posted 10 years ago #

    I don't want to cause a stampede, but there seems to be a new security-issue. Check http://secunia.com/advisories/20271/

    Is this being worked on?
    I can not reproduce it on my system and blog though...

  2. Reading through this it is based on exploiting the file cache which is disabled by default in v2.0.2 because it caused too many issues getting it to work on every possible combination of PHP/CGI/Webserver/Host Os so it won't affect a v2.0.2 install unless you enable the caching to disk of db data.

    You also have to have a easy to guess database password to make the exploit feasible.

  3. udippel
    Posted 10 years ago #

    Downloaded and ran the exploit, but also here, it would not want to do anything and died ...

    I also generate the passwords as random; so no easy guessing.

    Still, the underlying vulnerability is scary, and :(

    Hoping for a patch, nevertheless.

  4. v2.0.3 is now released with the fix for this included.

    See: wordpress.org/development/2006/06/wordpress-203/

Topic Closed

This topic has been closed to new replies.

About this Topic