Users who have downloaded the 2.1.1 version of the open-source blogging platform WordPress should upgrade all files to 2.1.2 immediately, since they could include a security bug injected by a cracker who gained user-level access to one of the servers that powers wordpress.org, according to a release posted on WordPress' site on Friday. WordPress received a note on the project's security mailing address Friday morning regarding "highly exploitable code," the release said. After investigating the issue, the WordPress developers found that the 2.1.1 download had been modified from its original site. The Web site was taken down immediately for further forensic analysis.
"It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file," the release continued. "We have locked down that server for further forensics." At this point it looks like the 2.1.1 download was the only thing affected by the attack. The attacker(s) modified two files to include code that would allow for the remote PHP execution. "This is the kind of thing you pray never happens, but it did and now we're dealing with it as best we can," the release continues. Not all downloads of 2.1.1 were affected, but WordPress declared the entire version dangerous. Several WordPress developers worked through the night to release a new version, 2.1.2, that includes minor updates and entirely verified files.
Source:
http://securitywatch.eweek.com/explo...wn_server.html
05-03-2007, 05:55 PM
WordPress Code Subverted on Its Own Server
Linear Mode
