#4973 closed defect (bug) (invalid)
Wordpress exploit and issue
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | Security | Version: | |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I am not sure whether this have been taken care. Please look in the following informations. Its fro Web Security Mailing List
http://milw0rm.com/exploits/4397
From: Daniel Cuthbert <daniel.cuthbert@…>
Date: Sep 13, 2007 3:05 PM
Subject: [WEB SECURITY] When the community takes action
To: websecurity@…
Sigh, another Wordpress exploit and issue, no shock there!
http://milw0rm.com/exploits/4397
Wordpress has a massive user-base, and it seems that the developers
have little, or no, concept of any SDLC or basic secure development
as every new release is met by a serious remote vulnerability that
allows attackers to compromise the host blog in some form or manner.
In an ideal world, we'd see the lead developers saying they need help
and asking the community for that help, but what happens when they
don't?
I'm not saying become vigilantes or something, but something should
be done to help projects like Wordpress act in a more socially
responsible way.
Thoughts?
Change History (4)
This is not a "new" exploit. It's an automated program designed to exploit existing/known/fixed exploits.
The exploit it attempts for WordPress 2.2.2 installs is fixed in 2.2.3.
- Resolution set to invalid
- Status changed from new to closed
More information on the fixed 2.2.2 vulnerability that this exploit code attempts to use:
http://secunia.com/advisories/26771/
Better site for that specific exploit:
http://www.buayacorp.com/files/wordpress/wordpress-sql-injection-advisory.html
Looks like all those exploits target the XML-RPC side of the house. All anti-blog/anti-WP preening aside, it does seem to have a good bit to exploit.
I'm not sure whether 2.2.3 addresses the flaw that the script claims 2.2.2 is vulnerable to...