Wordpress 2.8.5 has been released and is up for download. Nothing exciting to see as it just addresses the exploit that was published this morning plus a few minor things. From the Wordpress.org post:
- A fix for the Trackback Denial-of-Service attack that is currently being seen.
- Removal of areas within the code where php code in variables was evaluated.
- Switched the file upload functionality to be whitelisted for all users including Admins.
- Retiring of the two importers of Tag data from old plugins.
So get your installs up to date by downloading or upgrade in the admin panel!
Posted 141 days ago | Topics: Release, Wordpress | Tags: Release, Wordpress, wordpress 2.8.4, wordpress exploit | No Comments »
Around 9am (CST) this morning we were alerted via the wp-hackers mailing list that there is an exploit out that affects the latest version of Wordpress, v 2.8.4.
If you want to read more about all the technical stuff you can find the original blog post detailing the exploit here.
I wouldn’t say this is critical since your data is not at risk but anytime someone can put heat on your server it is not good.
No word yet if a patch is going to be released in the form of Wordpress 2.8.5. There are a few fixes out already however.
There is a chunk of code you can paste into your theme’s functions.php file.
function ft_stop_trackback_dos_attacks(){
global $pagenow;
if ( 'wp-trackback.php' == $pagenow ){
// DoS attack fix.
if ( isset($_POST['charset']) ){
$charset = $_POST['charset'];
if ( strlen($charset) > 50 ) { die; }
}
}
}
add_action('init','ft_stop_trackback_dos_attacks');
There is also already a fix on trac.
Posted 141 days ago | Topics: Wordpress | Tags: Wordpress, wordpress exploit, wordpress fix | No Comments »
