Monthly Archives: September 2008

Help shape WordPress 2.7

Posted on by
3
Image of WordPress from Twitter

From the WordPress Blog:

Another round of mini-mockups and multiple choice questions awaits the first 5000 respondents. WordPress 2.7 UI Survey #2 is now available to take your opinions regarding:

  • Where to put the search box
  • Where to put the Add New Post button/favorites menu
  • How to label the Future Publish/Edit Timestamp function

The survey (hosted by the good guys over at PollDaddy.com) will automatically close after receiving 5000 responses, which only took about two days for the navigation survey, so hurry over and cast your votes.

It’s great to see the guys actively gathering input on certain elements that affect their users. If you feel strongly about some of these aspects, head down and cast your votes. Be part of the process!

WordPress 2.6.1 Exploit: Upgrade to avoid hack

Posted on by
Reply

I was reading around today after cleaning up a website that got hacked when I saw an example of a vulnerability that exists in WordPress 2.6.1 The security hole is this:

Imagine a blog site using wordpress 2.6.1 and its web address is www.hackme.com , when you type in your address bar http://www.hackme.com/wp-login.php?action=register the new user registration page comes up !

After that we type our user name as “admin                                                       x” (make sure there are 52 space characters between “x” and “admin”. So after that type your e-mail address to the next textbox and click register. By doing this we are cloning the “admin” user name. Your password will come to your e-mail address shortly. You will not able to login with this information directly, So open the same page again and click “forgot password”, type in your own e-mail address and your will receive the link to reset the admin password. Once you click the reset link, the new password will be generated and will be sent to the real owner of the website.

Now, although people can’t log in with that password, it can prove to be very annoying and can even be used to implement a denial-of-service attack, but continually changing the admin’s password. How can you address the issue. Either upgrade to WordPress 2.6.2 or disable user registrations.

WordPress 2.7 coming down the tubes

Posted on by
1
Image representing WordPress as depicted in Cr...

Wordpress 2.7 will be awesome

Can’t wait for some of them I’ve just come across a list of new features planned for WordPress 2.7 on Ryan Boren’s blog. Looks really exciting. Here’s what he lists:

  • New admin UI based on the crazyhorse experimental UI branch with new menus and navigation
  • New edit post page that allows dragging and dropping of meta boxes. Boxes can be expanded and collapsed as before and now also completely hidden.
  • Ability to hide columns on the content index pages
  • Inline editing of posts and pages on the content index pages
  • Comments XMLRPC API (Who wants comment moderation on the iPhone? Me.)
  • Reply to comments from the admin
  • Keyboard hot keys for managing comments
  • Threaded Comments and new wp_list_comments() API
  • Sticky Posts
  • Automatic plugin install and integrated plugin browser
  • Automatic upgrade of WordPress
  • HTTPOnly auth cookies
  • New HTTP request API
  • A new SSH2 filesystem abstraction for updates and installs over sftp

There’s so much exciting stuff in there, I just can’t wait. The automatic upgrade of WordPress will be sooo useful, but others, like Sticky Posts and threaded comments mean extra functionality that just get deployed out of the box. Exciting times. It doesn’t matter if you’re on a dail-up connection or using satellite internet services, more and more websites you’ll be visiting will be running on WordPress.

WordPress 2.6.2 released

Posted on by
1

There’s been a new drop of WordPress which addresses some security issues and a couple of bugs. Here the write up from the development blog:

Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().  With his help we worked around these problems and are now releasing WordPress 2.6.2.  If you allow open registration on your blog, you should definitely upgrade.  With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit.  However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.  Stefan Esser will release details of the complete attack shortly.  The attack is difficult to accomplish,  but its mere possibility means we recommend upgrading to 2.6.2.

Other PHP apps are susceptible to this class of attack.  To protect all of your apps, grab the latest version of Suhosin.  If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit.  You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.

2.6.2 also contains a handful of bug fixes.  Check out the full changeset and list of changed files.

It’s not a big upgrade, so pretty easy to deploy to your blog. WordPress 2.7 shouldn’t be too far away though, so you might want to hold out for that one.

Yoga: Liberated – No pesky encrypted sections

Posted on by
2

I’ve just finished liberating another WordPress theme. yoga-liberated is the theme and this was a particularly pesky one.

It’s not that the encryption routine was anything to write home about, however the whole right-sidebar was encrypted too. Not only was it adding spam links to a blog and added processor cycles to decrypt the footer every time a page was displayed, but the theme author blocked users from amending their right-sidebar. Wouldn’t have been so bad if the theme had widget support, but it didn’t.

Enjoy!