I’ve been informed through the automated annotation service that’s integrated in the popular Spamkarma 2 plugin for WordPress that everybody, regardless of the WordPress version used, should deactivate the “everyone can register” free guest registration immediately, due to security reasons. Apparently there’s a major security hole contained in WordPress in connection to this feature which is not yet closed (and apparently yet no patch available, otherwise the advice would sound different, right?). Currently I’ve no further details available, but I’ll investigate this issue and will let you know if there’s any news about this. At the current point of time you should follow this advice (you know, Dr. Dave (the developer of Spamkarma2) is one of the best known and … Kompletten Post lesen Post schließen Post schließen

Having a look at the timeline of the current wordpress development one can see since last midnight, that milestone 2.0.2 seems to be up and ready to get released. If you scour through the nightly builds repository (which URL I won’t publish for obvious reasons) you can already find a Wp 2.0.2 RC1 zip file as well. Since this release contains some real important security fixes, it is pretty sure that the official release date of the new version will be pretty soon. At the milestone 2.0.2 overview page you won’t find much information about these security fixes, but if you download the RC1 files and compare them to the older 2.0(.1) files, keeping in mind the … Kompletten Post lesen Post schließen Post schließen

OffenbarScheinbar wurde vorgestern das Blog von KCYap gehackt (Verlinkung wegen Nichtverfügbarkeit der Seite entfernt). Justin istwar der Ausrichter der inzwischen weithin bekannten Wordpress 2.0 Theme Competition, deren Abgabeschluss in der Nacht vom 28. Februar auf den 1. März war. Aufgrund eines vorgeblichen Vertippers stand allerdings lange Zeit der 29. Februar als letzter Abgabetermin auf der Seite. Da der oder die mutmaßliche(n) Hacker, der/die die komplette Wordpress-Datenbank geleert hat/haben, dem Blog den neuen Titel “There is no 29th February in the year” gegeben hat/haben, liegt die Vermutung fast nahe, dass hier jemand stinksauer geworden ist, weil er oder sie wegen dieses Vertippers den Abgabetermin für die Competition versäumt hat Davon mal abgesehen, dass ich es generall als sehr … Kompletten Post lesen Post schließen Post schließen

As Heise Online conveys today, a group named Neo Security TEAM has published an advisory stating several severe security vulnerabilities in Wordpress. The most important issue is an insufficient filtering of comments, which allows so-called cross site scripting attacks. On WP installations with unmoderated comments this may result in the effect that an attacker gains full administrative access to the blog. Several files don’t check whether they are called directly, resulting in error messages being displayed that contain the full server path to the file. This information, again, can then be misused for further attacks against either the blog or even the complete webserver. Additionally, the wp-includes/ directory is open to a directory listing, if the directory … Kompletten Post lesen Post schließen Post schließen