WP 1.52 vulnerability
The news I was alluding to earlier today was that a new vulnerability to WP1.52 has been disclosed1. The issue affects WP versions 2.0x and below and as I've mentioned earlier, I haven't upgraded If..Else to WP 2.0 yet.
The vulnerability is a SQL injection bug in which the User Agent string isn't safely escaped during comment postings. There is, fortunately, a temporary workaround, which is to turn on site-wide comment moderation. The long term solution, however, is to upgrade to 2.0x2.
However, due to a different set of security concerns with WP 2.01, there is going to be another bugfix release any moment now. Yep, you heard that right; WP2.02 is just around the corner. Of course, if you don't mind the hassle of doing two upgrades in quick succession, then feel free to upgrade. It might be prudent to wait though.
Apologies for the earlier oblique post earlier on today. It was a case of not having enough time to write a proper post and not an attempt at security via obscurity3
- Podz has now made a public post on the matter. [back]
For those who want to stay on 1.5x, unfortunately, you're out of luck. Ryan's comment on the issue pretty much closes the door on that avenue.[back]- Which is a poor facade at the best of times; it's doubly foolish when all the information is public. [back]
-30-
Patches and such for 1.5.2 users are in development right now. Thankfully :)
onepointfivepointthreeeeeeeeeeeeeeeeeee :)
(so Matt tells me!)
Thanks for the heads up. I’ve upgraded to 2.0.1 can I turn off the comments approval thingie?
Edit by Phu: Yep, you should be fine. Don’t forget to upgrade to 2.02 when that’s released.
O.K. Thanks! Will they send out an e-mail when it’s upgraded?
[…] Fortunately, this sequence will not be triggered if the comments are set to go straight to moderation. I first saw this reported here. I was unable to reproduce this bug on any of my blogs, however, so it may simply be a big bug scare… […]
Thanks for the heads up Phu, i guess we’ll just have to upgrade.
No problem:)