Wordpress 2.1.1 Release Compromised by Cracker

GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."

Key Details

[Kelson]

From the article, and from some comparisons I did on the downloads:

• The attacker only altered the released files on the download server, not the Subversion repository. (TFA)
• Only the 2.1.1 release was altered. Older versions, such as 2.0, don't seem to have been affected. (TFA)
• If you downloaded 2.1.1 when it was first released, it's probably okay. If you grabbed it in the last four days, you're probably compromised. Upgrade NOW. (TFA, verified with diff)
• 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it's worth updating anyway. (diff)

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren't any different, confirming that the initial release was unaffected. That's also where I saw the changes for that XSS bug.

Also update your..

[blankoboy]

To stray on the side of caution, as we don't yet know the nature of the code that was changed, it may be wise for Wordpressers to also change your WP db passwords while updating wp-config.php to reflect the change. If your site was vulnerable with 2.1.1 installed who knows what was done and if what was seen. Perhaps it may be good to even update existing WP user passwords.