Get Smart about Business Spending
- Related Stories
-
Researcher launches Month of PHP Bugs
March 2, 2007
The breach happened last week and was discovered on Friday, WordPress creator Matt Mullenweg wrote on the WordPress Web site.
"Long story short: If you downloaded WordPress 2.1.1 within the past three to four days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately," Mullenweg wrote. He did not say how the attacker breached the WordPress system.
The WordPress team learned of the compromise through an e-mail to its security e-mail address about unusual and highly exploitable code in WordPress. After an investigation, the team concluded that somebody had modified two files in the 2.1.1 release that would allow for remote execution of PHP code, Mullenweg wrote.
The vulnerability could allow an attacker access to the server running the blogging software.
The Web server hosting the infected WordPress software was taken down and will be forensically examined, Mullenweg wrote. "This is the kind of thing you pray never happens, but it did and now we're dealing with it as best we can," he wrote.
Not all downloads of 2.1.1 were rigged, but WordPress has released version 2.1.2 that includes minor updates and entirely verified files. The team is also taking measures to prevent a similar breach in the future, Mullenweg wrote.
Any WordPress users running version 2.1.1 should upgrade immediately to overwrite all old files. WordPress has additional tips for Web hosters and network administrators.
See more CNET content tagged:
WordPress, blogging software, intruder, attacker, blog
Old news and a new release is out. ZZzzzzZZZZzzzzz....
Microsoft's reputation is bad... but you rarely paint it as such... but you do go beyond the call of duty to paint others as bad.
But you're a bit slow on this one and you kindly don't publish such bad news about Microsoft.
Are your reporters on the MS payroll? (* GRIN *)
Walt