zonknz
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Fatal Error when attempting to upgrade to 3.5 from 3.4.2ok – the file permissions on the folder
/var/www/wordpress/wp-content/upgrade
Were completed screwed up for some reason. I completed removed the upgrade folder and then upgraded without error.
Deleting the upgrade folder is safe to do so.
Forum: Fixing WordPress
In reply to: Fatal Error when attempting to upgrade to 3.5 from 3.4.2i was afraid that might be the answer :/ will have to try this in test…
Forum: Fixing WordPress
In reply to: Fatal Error when attempting to upgrade to 3.5 from 3.4.2The suggestion is a file permissions issue, but even setting (/var/www/wordpress/wp-content/upgrade/version-current.php) as 777 doesn’t help…
I have disabled all plugins, no change.
Forum: Fixing WordPress
In reply to: WordPress on IIS 7 – plugin update problemWhy is anyone granting IIS write permissions to their core wordpress files?
This is security madness!
Create a separate FTP only account with write priviliges such that you need to “elevate priviliges”, you can do so.
Forum: Installing WordPress
In reply to: WordPress on load balanced servershttp://en.wikipedia.org/wiki/Clustered_file_system
Look at Gluster: http://www.gluster.org/
(You’d put the client/server on each web server node)
Forum: Installing WordPress
In reply to: Running WordPress on 64 bit LinuxThere is no limitation- wordpress will run on x64 linux LAMP. (Dubious benefit unless you’re using lots of memory?)
Forum: Fixing WordPress
In reply to: WordPress Denial of Service on Full Disclosure 2.8.4Thanks- i’ve seen this is available and run it through our testing blog all looks good.
This was useful to force our production blog to re-check for an update :
Forum: Fixing WordPress
In reply to: WordPress Denial of Service on Full Disclosure 2.8.4Thanks, useful to note they have a fix to limit the length of a trackback, rather than just disabling access to wp-trackback.php
Forum: Fixing WordPress
In reply to: Remove wp- file prefixIf you’re doing this on apache, you could consider using mod-rewrite to do this – it might be ‘safer’ – less likely to break, at least.
Forum: Installing WordPress
In reply to: Delete wp-config.php or leave?If you’re questioning the wisdom of having a unencrypted file containing passwords in a web readable directory, you’re not alone.
It’s relatively trivial to google and find a bunch of mysql user/passes when people have mis-configured apache/php and the raw output is being returned.
Forum: Fixing WordPress
In reply to: No web.config File?ahhh… chmod your .htaccess to 666 and it should accept the rewrite rules
and then change them right back. Leave files world writable is just a bad, bad idea.
Forum: Fixing WordPress
In reply to: Sudden Blank Pages – Dashboard, Plugins & AppearanceXSS attack on the admin page, perhaps? See the version <2.8.1 exploit fixed in 2.8.2 ?
Forum: Fixing WordPress
In reply to: WordPress can be remotely upgraded by non-authenticated user ?Er.. lets suppose your blog is for a company, and being able to gain control of such a blog (and post to it) is valuable: Suppose customers/readers of the blog could be encouraged to disclose information by following phishing links in a post that they might instinctively trust?
The point is if you could poison the hosts dns, you could redirect wordpress.org’s A records to a website indicating ‘upgrade needed’ and then force the download of your exploited code because anyone can force a wordpress install to upgrade.
Are there checks in place to mitigate this vector? Does the upgrade come over, e.g, wordpress.org’s SSL cert?
Forum: Fixing WordPress
In reply to: WordPress can be remotely upgraded by non-authenticated user ?If it fails, you’ve got a Denial of Service attack!
The reason the upgrade is not working at the moment is there is no version to upgrade to, but yes, it seems no credentials are required to force an upgrade.
If you can poison dns (send the wordpress downloader where you want) it seems a easy attack vector.
Forum: Fixing WordPress
In reply to: I don’t have FTP!jdembowski, but all you’re doing is allowing apache write access to (a subset, granted) of the www-data folders, which is exactly what should be avoided? (other than perhaps the upload folder, if you’re allow image etc uploads. (I block access to non-image file types via mod_rewrite).
Why is setting up ftp/secure ftp listening on the localhost only not a better option, as it fundamentally allows you to process these changes as a different/elevated user?