«
»

Highly Exploitable Code Planted into WordPress 2.1.1

March 3rd, 2007 by George Notaras

According to the latest post, at the time of writing, on the WordPress development blog, a cracker gained access to one of the servers that power wordpress.org and modified the WordPress 2.1.1 distribution package. It is said that malicious code that can make the web application vulnerable was planted into the archive.

All who have upgraded to WordPress v2.1.1 during the last 3-4 days must upgrade to the new 2.1.2 version by overwriting all old wordpress files with the new ones. Those who get the code directly from the SVN repository should be OK according to the article, as the svn repo code has not been affected.

Those, who still use a WordPress version older than 2.1.1, should also upgrade to the latest 2.1.2 version, as several bugs have been fixed in the latest WP releases, provided that the distribution package’s md5 sum is verified. Each of the WordPress releases md5sum can be found at the Release Archive. This can be checked like:

$ wget http://wordpress.org/wordpress-2.1.2.tar.gz
$ md5sum wordpress-2.1.2.tar.gz
b1ae0c152e60300cba8c40c030baafd4  wordpress-2.1.2.tar.gz

The md5sum should be the same as in the WP v2.1.2 md5sum file.

Of course, these files that contain the release md5sums could have been altered too, but I am afraid there are no other alternatives, unless you decide to stay with your current wordpress version, at least until the whole situation is clear, which IMHO would be a wise decision, despite the bugs those old versions might have.

The Highly Exploitable Code Planted into WordPress 2.1.1 by George Notaras, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. Terms and conditions beyond the scope of this license may be available at www.g-loaded.eu.

Related Articles

Tags: , , ,

2 Responses to “Highly Exploitable Code Planted into WordPress 2.1.1”

  1. Aggelos Orfanakos Says :
    March 3rd, 2007 at 12:29 pm

    I knew something like this would happen one day. It’s very stupid of them to be keeping the md5′s in the same place as the packages. It’s also very stupid of them that the “default” way of downloading WordPress is getting “latest.tar.gz”. No version on the filename and no md5′s for those that are unaware of the Release Archive. Let’s see if they’ll learn anything from this.

  2. GNot Says :
    March 3rd, 2007 at 2:52 pm

    I admit that I experienced the same dissapointment when I initially read that announcement.

    You are absolutely right criticizing the unprofessional way of making the distribution packages available to the public. WordPress.org’s highest priority seems to be the ease of use than the security and the integrity of the distributed archives. I bet the “latest.tar.gz” concept has to do with the downloads counter. Also, the absence of the package’s md5 sum in the downloads page is something that has to change. It took me several minutes to find out about the Release Archive.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight=""> <pre>