Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress 2.1.1 Release Compromised by Cracker

Posted by Zonk on from the not-my-emo-comments-and-angsty-statements dept.

GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."

3 of 48 comments (clear)

  1. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  2. Re:Key Details by djupedal · · Score: 2, Insightful

    '...confirming that the initial release was unaffected.'

    No, sorry.

    It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

    "If you downloaded 2.1.1 when it was first released, it's probably okay. "

    'if'...? Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

  3. This is always a major concern for OSS projects by Anonymous Coward · · Score: 2, Insightful

    Sometimes I'm sure I'm the only person giving source the once-over before I build or install it. There's little chance of finding anything even if the source has been compromised but it helps me sleep better. Auditing install targets in Makefiles (for shell daemons) is a great hobby.

    OSS releases should be GPG signed by now, unless the attacker can compromise the key we're then left with tampering in the repository.