The vulnerability exploits a new feature that has been introduced in WordPress 2.9: the trash. The trash is a basic trashcan where deleted posts are placed so that they can be restored if they have been deleted by accident. This trash can be disabled but is activated by default on all WordPress 2.9 and later blogs.

Every logged in user, even those with the subscriber role, can access all deleted articles and posts that have been moved to the trash. This might not affect the majority of blogs as there need to be at least two registered users and at least one user that is not trusted by the administrator of the site.

In theory though anyone with a user account at the website can access the trashed articles regardless of which user wrote them.

The WordPress 2.9.2 patch fixes this exploit so that this is no longer possible. WordPress 2.9.2. can be downloaded from the official WordPress website. Users who have configured their blog for automatic updates can also update the blog from within the blog right away.

One way to clean up your WordPress Database, including old post revisions and items that are in trash, is to use WP-Optimize.  It does a great job at cleaning up bloated databases on busy WordPress sites and keeps them running fast.

There are some really cool features that are being included in this release. They include:

1. Global undo/”trash” feature, which means that if you accidentally delete a post or comment you can bring it back from the grave (i.e., the Trash). This also eliminates those annoying “are you sure” messages we used to have on every delete.
2. Built-in image editor allows you to crop, edit, rotate, flip, and scale your images to show them who’s boss. This is the first wave of our many planned media-handling improvements.
3. Batch plugin update and compatibility checking, which means you can update 10 plugins at once, versus having to do multiple clicks for each one, and we’re using the new compatibility data from the plugins directory to give you a better idea of whether your plugins are compatible with new releases of WordPress. This should take the fear and hassle out of upgrading.
4. Easier video embeds that allow you to just paste a URL on its own line and have it magically turn it into the proper embed code, with Oembed support for YouTube, Daily Motion, Blip.tv, Flickr, Hulu, Viddler, Qik, Revision3, Scribd, Google Video, Photobucket, PollDaddy, and WordPress.tv (and more in the next release).

WordPress 2.9 Summarized:

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges.  If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch.  The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Get WordPress 2.8.6. ]]> http://spidersavvy.com/wordpress-2-8-6-security-release/feed/ 0 http://spidersavvy.com/wordpress-2-8-5-hardening-release/ http://spidersavvy.com/wordpress-2-8-5-hardening-release/#comments Wed, 21 Oct 2009 04:19:22 +0000 SpiderSavvy http://spidersavvy.com/?p=1860

WordPress has been busy working on 2.9 with an emphasis on security.

The headline changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

I recommend that all sites are upgraded to this new version of WordPress so as to ensure that you have the best available protection.  If you need help upgrading your site please contact me.

If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then I would recommend that you take a look at the WordPress Exploit Scanner.  This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

You can read more about this plugin here – “WordPress Exploit Scanner“ ]]> http://spidersavvy.com/wordpress-2-8-5-hardening-release/feed/ 0 http://spidersavvy.com/no-worms-in-my-wordpress-sites/ http://spidersavvy.com/no-worms-in-my-wordpress-sites/#comments Mon, 07 Sep 2009 00:53:19 +0000 SpiderSavvy http://spidersavvy.com/?p=1561 Does your WordPress site have worms?

If you don’t have the latest version then you might!  The fix is simple… upgrade to WordPress 2.8.4. I’m happy to report that all of the WordPress sites that I maintain are up to speed and secure!

Learn more about more about How to Keep WordPress Secure or read the summary below:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

This just in from WordPress:

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

http://wordpress.org/development/2009/08/2-8-4-security-release/

1. Akismet – Every WordPress site’s best friend.  Akismet is the first line of defense between your blog and an endless stream of comments attempting to sell you Viagra. It stops what it detects to be spam comments , and holds them in a special moderation qeue separate from your other comments. You can then review and delete them at your convenience. As your blog gets more popular, the number of spam comments you receive will increase, and Akismet will save you a significant amount of time in terms of catching and deleting each spam comment as it’s left on your blog.
2. All in One SEO Pack -A popular plugin with SEO folks, its All in One SEO Pack lets you insert meta tags, helps you with duplicate content, optimizing titles and more.
3. Broken Link Checker for WordPress – As your blog gets more and more posts, it can be difficult to go back and look for what has broken with time.  This plugin will check images and links and notify you via the dashboard when it locates something.  Just the other day I installed this on a clients WordPress site and found 102 broken links!
4. Google Analyticator – Google Analytics is a popular way of tracking your site visitors.  This plugin allows you to enter your code, and it will take care of making sure it gets to the right place in all of your themes.  However, this is a plugin that I can do without because I can manually put analytics code in footer.php but if the client needs to edit the code they can do it on their own.
5. Google XML Sitemap – Helps you generate XML enabled sitemap to help with indexing by search engines like Google, MSN, Ask and more.
6. No Self Pings – A nice little plugin that keeps pingbacks from showing up in your comments section when you link back to your own blog entries.
7. WordPress.com Stats – A stats system that helps you reduce the load on your server by using the WordPress.com servers to keep track of your stats for you.
8. WP Super Cache – Caches your pages as static HTML files as opposed to PHP files, which can take longer to process and display on your site.
9. Share This – This plug-in allows readers to add your blog posts to social bookmarking sites through an icon that appears at the end of each of your blog posts. Readers click the icon to select the social bookmarking site they prefer in order to save and share your post.
10. WordPress Database Backup – What would happen if something happened to your blog and all of your content was lost? You can avoid that possible tragedy by installing a WordPress backup plug-in. This plug-in backs up the core information in your blog (the main tables). There are also more sophisticated WordPress backup plug-ins such as the WP-DBManager plug-in that will allow you to further customize your backups.

What’s new since version 2.8:

• Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.
• Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
• Dashboard memory usage is reduced. Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
• The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
• A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
• Translation of role names fixed.
• wp_page_menu() defaults to sorting by the user specified menu order rather than the page title.
• Upload error messages are now correctly reported.
• Autosave error experienced by some IE users is fixed.
• Styling glitch in the plugin editor fixed.
• SSH2 filesystem requirements updated.
• Switched back to curl as the default transport.
• Updated the translation library to avoid a problem with mbstring.func_overload.
• Stricter inline style sanitization.
• Stricter menu security.
• Disabled code highlighting due to browser incompatibilities.
• RTL layout fixes.