Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wordpress 2.1.1 Release Compromised by Cracker

Posted by Zonk on from the not-my-emo-comments-and-angsty-statements dept.

GrumpySimon writes "The recent 2.1.1 release of the popular blog software Wordpress was compromised by a cracker who made it easier for to execute code remotely. This is interesting because the official release was quietly and subtly compromised, and has been in the wild for a few days now. There's no word on if any affected sites have been compromised, but anyone running Wordpress is urged to upgrade to 2.1.2 immediately, and admins can check their logs for access to 'theme.php' or 'feed.php', and query strings with 'ix=' or 'iz=' in them."

7 of 48 comments (clear)

  1. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  2. Key Details by Kelson · · Score: 5, Informative

    From the article, and from some comparisons I did on the downloads:

    • The attacker only altered the released files on the download server, not the Subversion repository. (TFA)
    • Only the 2.1.1 release was altered. Older versions, such as 2.0, don't seem to have been affected. (TFA)
    • If you downloaded 2.1.1 when it was first released, it's probably okay. If you grabbed it in the last four days, you're probably compromised. Upgrade NOW. (TFA, verified with diff)
    • 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it's worth updating anyway. (diff)

    I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren't any different, confirming that the initial release was unaffected. That's also where I saw the changes for that XSS bug.

    1. Re:Key Details by djupedal · · Score: 2, Insightful

      '...confirming that the initial release was unaffected.'

      No, sorry.

      It only confirms that your copy of the initial release was unaffected. Someone could have come along right after your download and pipped things so that anyone in line right after you received the dirty diaper.

      "If you downloaded 2.1.1 when it was first released, it's probably okay. "

      'if'...? Everyone should update - it's the only safe and practical response, rather than chancing things on an 'if'.

  3. Re:Damn crazy crackahs. by User+956 · · Score: 4, Funny

    Dem crackahs ALWAYS be gettin' all up in my WordPress yo. Fo'realz!

    I thought the politically-correct term for "cracker" was "caucasian-american"?

    --
    The theory of relativity doesn't work right in Arkansas.
  4. Also update your.. by blankoboy · · Score: 2, Informative

    To stray on the side of caution, as we don't yet know the nature of the code that was changed, it may be wise for Wordpressers to also change your WP db passwords while updating wp-config.php to reflect the change. If your site was vulnerable with 2.1.1 installed who knows what was done and if what was seen. Perhaps it may be good to even update existing WP user passwords.

  5. Re:Damn crazy crackahs. by PietjeJantje · · Score: 2, Funny

    What about this arrangement: let us all agree here to call hackers crackers from now on, and don't tell the media. This should fix things and create a clear divide again. Now excuse me while I'm off cracking some new code.

  6. This is always a major concern for OSS projects by Anonymous Coward · · Score: 2, Insightful

    Sometimes I'm sure I'm the only person giving source the once-over before I build or install it. There's little chance of finding anything even if the source has been compromised but it helps me sleep better. Auditing install targets in Makefiles (for shell daemons) is a great hobby.

    OSS releases should be GPG signed by now, unless the attacker can compromise the key we're then left with tampering in the repository.