ionic

WordPress >= 1.5 uses a different XMLRPC library and is therefore not vulnerable to those exploits.

Dougal you are a liar.

The blog entry about WordPress 1.5.2 is from 14th. The fix was commited to the subversion tree on the 15th. After that point the tarball was silently replaced at an unknown point in time.

Actually I learned about the new version from the blog entry. So please don’t lie to the WordPress users.

masquerade, errare humanum est.

WordPress 1.5.2 does NOT fix the remote code execution exploit.

Just as little warning to all those now installing 1.5.2

WordPress 1.5.2 does not fix the remote code execution vulnerability. It just renders the published exploit useless.

After inserting 10 magic characters into the exploit it will still work against 1.5.2

It is good that you have used quotes around “experts”.

Because according to experts this is an issue with poorly programmed PHP applications. A problem caused by lazy programmers that do not initialize their variables.

When you write C code you also have security problems if you do not initialize your variables. This is for sure not a PHP issue.

And as a sidenote: Chris Shiflett is not a security expert. I invite you to look into his very own software projects, that you can download from his website. In his wwwforum you will find nearly every possible security hole that one can construct within a PHP application.

Btw: turning of register_globals in your .htaccess will not work at all on non apache webservers.

Btw2: the WordPress team knows about other security holes in WordPress 1.5.1.3 for some time now, but they consider them not important enough to fix them.