Serious Hack

Patrician · 09-05-2009, 12:32 AM

Don't know if you guys saw this in the main forum or not, but in speaking to my host it is a serious security threat. GO AND UPGRADE ANY VERSION PRIOR TO 2.8.4

http://www.warriorforum.com/main-int...p_referer.html

Leads to explanation
Wordpress MySQL Injection - Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]

Here is another report of a previous attack.

Help! My Blog Posts Now Have Weird Code on the URL

From Wordpress.org

WordPress 2.8.4: Security Release

Posted August 12, 2009 by Matt. Filed under Releases, Security.
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

WareTime · 09-07-2009, 12:02 PM

This is why I run AWAY from wordpress. To many vulns to deal with when there are so many other options that are hacked much less. Static pages, Blogger ftp'd to your own domain, Drupal, Joomla and on and on.

Depending on your view Wordpress is either swiss cheese and full of holes or the most attacked, either way it's a time sink to try running it.

Left the wordpress treadmill in late 2007 and haven't missed it a bit.

09-05-2009, 12:32 AM	#1
Patrician d'modulator War Room Member Join Date: Aug 2004 Location: USA Posts: 11,334 Thanks: 4,036 Thanked 1,665 Times in 1,176 Posts Social Networking	Serious Hack - Wordpress versions prior to 2.8.4 Don't know if you guys saw this in the main forum or not, but in speaking to my host it is a serious security threat. GO AND UPGRADE ANY VERSION PRIOR TO 2.8.4 http://www.warriorforum.com/main-int...p_referer.html Leads to explanation Wordpress MySQL Injection - Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER] Here is another report of a previous attack. Help! My Blog Posts Now Have Weird Code on the URL From Wordpress.org WordPress 2.8.4: Security Release Posted August 12, 2009 by Matt. Filed under Releases, Security. Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying. We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.
	Patricia Brucoli, theaptconsultant-b2b/dba the3rdpartynetwork Member Services Director, Plug-In Profit Site Click Here for the Plug-In Profit Site Helpdesk * KEEP KEN STRONG WSO * * KIMW MEGA WSO * * KimW-Catastrophic Fund *

09-07-2009, 12:02 PM	#2
WareTime HyperActive Warrior War Room Member Join Date: Feb 2009 Posts: 362 Thanks: 17 Thanked 34 Times in 28 Posts	Re: Serious Hack - Wordpress versions prior to 2.8.4 This is why I run AWAY from wordpress. To many vulns to deal with when there are so many other options that are hacked much less. Static pages, Blogger ftp'd to your own domain, Drupal, Joomla and on and on. Depending on your view Wordpress is either swiss cheese and full of holes or the most attacked, either way it's a time sink to try running it. Left the wordpress treadmill in late 2007 and haven't missed it a bit.