« Windows Vista SP1 and Server 2008 | Main | Happy Chinese New Year »
February 05, 2008
Wordpress XML-RPC Security Flaw
WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.
Via: Wordpress Blog
Posted by Stephen at February 5, 2008 04:51 PM
Trackback Pings
TrackBack URL for this entry:
http://bleedingedge.com.au/cgi-bin/mt/mt-tb.cgi/1413
Comments
The XML-RPC flaws are really old news now, having been around for several years I think. I remember investigating it and jumping up and down about it, along with others, on tweakgeek and webhostingtalk.com back in July 2005.
Most hosts worth their salt have mod_security rules in place to block exploit attempts, but I guess some hosts are asleep. This was kind of a universal exploit and it's a little more than somewhat slack that Wordpress hadn't addressed it till now, if in fact it's the same exploit, of course ...
Posted by: Brian at February 8, 2008 09:05 PM