WordPress.org
Get WordPress

Make WordPress Core

Changes between Initial Version and Version 10 of Ticket #5313


Ignore:
Timestamp:
02/02/2008 03:46:28 PM (18 years ago)
Author:
lloydbudd
Comment:

Replying to thee17:

Because the method of exploiting this was posted, this needs fixed and posibly fast.

Although the same support topic, it probably would have been better to open a new ticket, because it is difficult to confirm that the original issue is caused by this issue.

Also, it is benefitial at this point to explicitly including the details if not at least the links. http://wordpress.org/support/topic/134928/page/2#post-686510 http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/ http://www.theseekerblog.com/?p=284

Updating description.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #5313

    • Property Severity changed from major to critical
    • Property Component changed from General to Security
    • Property Priority changed from high to highest omg bbq
    • Property Owner changed from anonymous to josephscott

  • Ticket #5313 – Description

    initial v10  
    1 I don't know what's causing this but the problem is being reported by a few people at http://wordpress.org/support/topic/134928. In short, an iframe is turning up in certain posts, clearly being put there via some exploit. Problem has been reported across a few versions of WordPress, including 2.3.1. Note that the iframe wasn't contained in a theme or any source files, it was in the post itself stored in the database.
     1Feb 2, 2008 http://wordpress.org/support/topic/134928 now describes a security issue in xml-rpc:
     2
     3A personal has to already have an account on your blog, or be able to create an account (subscription)
     4
     5WORKAROUND: if enabled, disable subscription to your blog, or remove xmlrpc.php .
     6
     7There is no user checking if the "post_type" is set to page.
     8
     9http://wordpress.org/support/topic/134928/page/2#post-686510
     10http://www.theseekerblog.com/?p=284
     11http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/