The WordPress Security Update

Stefan Esser over at the PHP Security Blog is not happy. He’s just written a blog posted titled WordPress – developers totally nuts claiming that only hours after releasing version 1.5.2, the developers patched some additional security flaws and re-uploaded the download file without labelling it any differently. Stefan had previously contacted WordPress about security flaws in their product and had contributed some patches. The end result, according to Stefan’s claims, is that many WordPress users who downloaded the pre-updated version 1.5.2 will still be vulnerable to known and published security exploits.

Amusingly, it appears that hours after the blog post went live, Stefan renamed the post’s title to ‘WordPress – irresponsible silent tarball update‘ without notice.

A similar rant about WordPress security by Martin Geisler can be found on his blog. His advice: “Remember to upgrade any installation you might have”.

Dougall Campbell, a developer for WordPress, responds to what he sees as a campaign of fear, uncertainty and doubt against the 1.5.2 release. Dougall admits that the first downloadable archive to be posted on didn’t contain all the security fixes they intended to include, but that the situation was rectified before the initial announcement of the release was posted, and therefore anybody who downloaded the archive after the posting of the official announcement is safe from the problem.

According to Stefan’s post the exploit in question involves a function in WordPress’s code intended to work around servers which have register_globals enabled. The function checks to see if register_globals is enabled in the PHP configuration, and if so it tries to unset each global variable that was created. The function inadvertently introduced an additional flaw – allowing remote users to bypass the protection that the function offered.


Category: programming Time: 2005-08-18 Views: 1

Related post

  • How do I see if my Android Nexus received the latest security updates? 2015-09-13

    I'd like to check the patch level of my Nexus. I'm using Lollipop 5.1.1 build LMY48I. Under 'System updates' in 'About phone', it says 'Your system is up to date'. Should I assume that includes security updates? --------------Solutions------------- I

  • A question about the last security update for Ubuntu ("ATTENTION: Due to an unavoidable ABI change-") 2014-10-30

    This question already has an answer here: What is an kernel update with "Bump ABI"? 3 answers I'm subscribed to the Ubuntu Security Notes, so everytime that I receive an e-mail, a new update is avalable. But in the last update, they wrote someth

  • Why doesn't the WordPress Importer update posts? 2014-12-11

    One can see from the code on the WordPress Importer Plugin that it was a thought decision to bail early when imported posts had post_title and post_date matching existing posts. For that reason, they don't run the imported versions through wp_insert_

  • Ubuntu 14.04 LTS black screen after The february security update 2016-02-04

    I decided to install new updates at the end of January. I have made two updates - one upon install and the other one yesterday which was marked as a security update. After that the system asked for a reboot, and screen. Nothing, absolute

  • How to get the latest security updates for CyanogenMod? 2016-02-20

    I have installed CyanogenMod in February 2016, and the device information showed Android version "5.1.1", and the security patch level was "November 2015". This hasn't changed until today (2016-02-20): The device says that there are no

  • yum update works but yum --security update fails to work in Fedora 12 2010-04-13

    I had already installed the yum-security before. And I was going to do an update by entering the following command: [[email protected] /]# yum update Loaded plugins: presto, priorities, refresh-packagekit, security Skipping security plugin, no data Sett

  • How does Slackware handle security updates? 2010-12-29

    I use a distribution that uses apt for package management and am accustomed to letting apt grab a list of package changes. I generally let it install all the needed security updates. I've been considering migrating to slackware. However, it seems sla

  • Easier way to get extended information about Microsoft Security Updates? 2011-05-30

    Part of my weekly routine involves setting aside often up to an hour to sift through the latest security updates from Microsoft, to determine which ones are actually worth considering and which ones (Fax Cover sheet vulnerabilities? Really?) are not

  • How do I get security updates for restricted/partner packages? 2012-06-14

    I want to perform just security updates on Ubuntu 12.04 LTS, keeping the rest of the system unchanged. I need to do this from the command line, no the GUI update manager. I have implemented the solution described here, which seems to work great for t

  • yum security update - message indicating kernel version not up to date 2012-10-10

    Running yum --security check-update returns this message: Security: kernel-3.x.x-x.63 is an installed security update Security: kernel-3.x.x-x.29 is the currently running version I already ran the yum security update on the kernel, but it looks like

  • WordPress auto update for core but use local package 2012-12-15

    I have several local WordPress dev environments but, for the moment, a very very slow internet connection. The WordPress auto updater for core is very convenient, but would it possible for it to use update packages from localhost instead of downloadi

  • Updates: Mavericks 10.9.2 + Critical Security Update → no reboot 2014-03-25

    Update On an iMac running Mavericks 10.9.0, I just selected within App Store the 2 last OS updates: Critical Security Update (version 1.0) OS X Update Combined (version 10.9.2) These 2 updates took "some" time, and terminated on a small square w

  • Amazon Ec2 Security Updates Automatically Applied 2014-10-22

    I'm wondering how the security updates for an Amazon Linux Ec2 instance were automatically applied. Scenario: Used "Launch More Like This Instance" option on a Micro instance. Created a snapshot of the original instances root volume. Deleted the

  • Security Update 2015-002 Asks To Setup Mac 2015-03-18

    I just had to install the latest Security Update from the Mac App Store and it started auto updating. Then when I completed the update (and restarted) my Mac asked me to enter in my Apple ID password and asked me if I would like the 'Cloud keychain t

  • Do I need to install Security updates for Ubuntu base? 2015-04-07

    I installed Lubuntu 14.04 LTS from a disc and have added updates.System info shows 14.04.2 LTS. Software updater >security updates offers Ubuntu base 103MB. Do I need to install this? --------------Solutions------------- Not installing security updat

  • Security update on Ubuntu 14.04 2015-11-15

    When ever I run Software Updater, I get the following security update option User space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator However I cannot select this update and after installation of other updates, I get the message that Ubun

  • Openvpn issues after installing Windows December Security Update 2015-12-26

    My windows machine updated automatically to the December Security Update KB3116900 and as a result, my openvpn configuration no longer works. While OpenVPN says that the adapter is connected, I am unable to ping the VPN from my local machine and othe

  • How to launch a new Rackspace OnMetal server with all security updates installed? 2016-02-09

    When launching a new Rackspace Virtual server, it is possible to choose an image that you have created before. So you could prepare your own image that contains all the latest security updates and use that one when launching the new Rackspace Virtual

  • "SSL Protocol Error" in Chromium for several Google web sites after installing Ubuntu Security Updates for libnss3 2016-02-19

    Scenario: Laptop computer running Ubuntu 12.04.5 LTS (64-bit) ("Precise Pangolin") Issue: In the Chromium web browser - "Version 37.0.2062.120 Ubuntu 12.04 (281580) (64-bit)" - after having installed the Ubuntu security Updates that we

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C), All Rights Reserved.

processed in 1.567 (s). 13 q(s)