Command Execution Vulnerability in WordPress Affecting all Versions

By Angsuman Chakraborty, Gaea News Network
Saturday, August 13, 2005

A command execution vulnerability has been found in WordPress’s handling of incoming cookie information which allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.

Already a perl and php exploit is available. It affects WordPress version 1.5.1.3 and before when register_globals is set to On. The information has been provided by Kartoffelguru.

WordPress developers are working on a fix.

Update: Add the line to your php.ini file (in WordPress root) for a fix:
php_flag register_globals off

Do it now.

Note: This may affect functioning of some plugins which rely on php global variables being available.
Filed under: CMS Software, Headline News, Pro Blogging, Web, WordPress
Discuss Bellow
Discussion

Angsuman
August 13, 2005: 7:55 pm

Thanks Tom for the update.

WordPress.com.br » Vulnerabilidade do WordPress 1.5.3
August 13, 2005: 4:20 pm

[...] Foi anunciada, pelo site SecuriTeam, especializado em segurança de sistemas e aplicativos de computadores, uma vulnerabilidade presente na versão 1.5.3 que afeta todas as versões do WordPress, inclusive a mais recente, 1.5.3, e que deve ser corrigida imediatamente. [...]

Tom Raftery
August 13, 2005: 3:05 pm

I’ll try again (!) - Podz has posted a fix here: https://www.tamba2.org.uk/T2/archives/2005/08/13/stop-your-blog-being-hacked/

Tom Raftery
August 13, 2005: 3:03 pm

Podz has posted a fix here

Slobokan’s Site O’ Schtuff » Blog Archive » Wordpress Vulnerability
August 13, 2005: 12:31 pm

[...] [Source: Simple Thoughts] [...]
YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :
 
Submit