Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress 2.1.1 Release Compromised by Cracker

Posted by Zonk on from the not-my-emo-comments-and-angsty-statements dept.

GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."

4 of 48 comments (clear)

  1. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  2. Re:Key Details by djupedal · · Score: 2, Insightful

    '...confirming that the initial release was unaffected.'

    No, sorry.

    It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

    "If you downloaded 2.1.1 when it was first released, it's probably okay. "

    'if'...? Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

  3. This is always a major concern for OSS projects by Anonymous Coward · · Score: 2, Insightful

    Sometimes I'm sure I'm the only person giving source the once-over before I build or install it. There's little chance of finding anything even if the source has been compromised but it helps me sleep better. Auditing install targets in Makefiles (for shell daemons) is a great hobby.

    OSS releases should be GPG signed by now, unless the attacker can compromise the key we're then left with tampering in the repository.

  4. Re:Damn crazy crackahs. by linvir · · Score: 1, Insightful
    • Hacker
      A very, very naughty boy who does wicked, wicked things to other peoples' computers, and brags about it on websites with black backgrounds and green text. Used to mean programmer, but doesn't any more. The old meaning is still used by old programmers living in the past, and by new programmers wishing to associate themselves with both programmers and naughty boys simultaneously. Nobody who calls themselves a "hacker" or refers to their activities as "hacking" is worth any of your time or money, no matter whether their surname is "Stallman" or "Mitnick".
    • Cracker
      A word invented by programmers who liked calling themselves hackers, didn't want to lose the term to the naughty boys, and thought that if they just pulled a new word out of their arse, people would gladly learn it and use it. Finally took its last breath when black Americans began to use it as a counterpart to the derogatory word "nigger". Nobody (nobody) calls themselves a "cracker" or refers to their activities as "cracking".