Critical WordPress Security Defect Found and Fixed in 2.0.7By Angsuman Chakraborty, Gaea News Network
Thursday, January 11, 2007
While WordPress 2.0.6 is still hot a serious security defect (SQL injection attack) was found and fixed in WordPress 2.0.7, which is currently available as RC1 (release candidate 1). The key defects fixed are:
Worked around a PHP bug for PHP 4.x less than 4.4.3 and PHP 5.x less than 5.1.4 with register_globals ON that could potentially lead to SQL injection and other security breaches.
- Feeds should properly show 304 Not Modified headers (a.k.a. the FeedBurner bug) instead of mismatched 200/304 headers
- Backport of another 304 Not Modified fix from trunk (Etag mismatch on certain hosts would cause 200 OK and content to always be served, a waste of bandwidth)
Convenience & Misc.
- Deleting WP Pages no longer gives an “Are You Sure?” prompt
- After deleting a WP Page, you are properly redirected to the Edit Pages screen
- Sending an image at original size in IE no longer adds an incorrect “height” attribute
You can download the release candidate here. I have started testing 2.0.7 RC1 on live blogs.
Tags: Wordpress 2