WordPress 1.5.1.3 Security Update

Update: WordPress 1.5.2 now available.

Found out last Friday that WordPress had a securtiy update for its 1.5.1.3 version that involved the register_globals settings.

They posted an updated information in the WordPress forums:

WordPress version 1.5.1.3 is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to (try to) execute code on the victim’s account.

Here are some recommended steps that should be taken to secure your WP account:

Download the revised wp-settings.php file. This revised version includes specific code to thwart attacks that leverage register_globals.

To use the revised wp-settings.php file, please first make a backup copy of your existing /wp-includes/wp-settings.php file, then simply transfer the new version to the /wp-includes/ directory on your site.

We strongly encourage security in depth. In addition to the fix above, you are encouraged to disabled register_globals for your site. Most users will be able to edit your .htaccess file, and place this at the very top: php_flag register_globals off

If you control the server, you may edit php.ini and disable register_globals. You will need to restart the webserver after making this change.

Everyone is strongly encouraged to update their WordPress installation as indicated above. I suggest doing the 1st and second option.

Note to plogHost clients: Although we can turn off register_globals on all servers, a whole lot of other applications that require it to be “on” may be affected and may not work.

Abe Olandres

Abe is the founder and Editor-in-Chief of YugaTech with over 20 years of experience in the technology industry. He is one of the pioneers of blogging in the country and considered by many as the Father of Tech Blogging in the Philippines. He is also a technology consultant, a tech columnist with several national publications, resource speaker and mentor/advisor to several start-up companies.

https://www.yugatech.com

13 Comments

vern says:

19 years ago

wp-settings.php is actually in the WordPress root (/) and not in wp-includes/. At least it is on mine.
- Reply
Abe Olandres says:

19 years ago

wp-includes/settings.php is mentioned as the back-up. :)
- Reply
Jaypee says:

19 years ago

same goes for me..my wp-settings.php file is found in the root folder and not inside the wp-includes folder.
- Reply
vern says:

19 years ago

Yeah they say that, but then their instructions say

“then simply transfer the new version to the /wp-includes/ directory on your site.”

People who follow their instructions word for word will run into obvious problems.
- Reply
Jaypee says:

19 years ago

i tried to upload the new wp-settings.php file and got this error message –
Parse error: parse error, unexpected T_LNUMBER in /home/prolifik/public_html/blog/wp-settings.php on line 91
- Reply
Max Limpag says:

19 years ago

Yuga,

Thanks for the warning.

Max
- Reply
Kates says:

19 years ago

Apparently, they forgot to change the version number in the headers. Mine still sports the version 1.5.1.3. I leave that for stats. hehehe
- Reply
Max Limpag says:

19 years ago

Yuga,
WordPress released version 1.5.2 just a few minutes after I did the fixes :-( . The update to my, my wife’s and our Newsletter Solutions blogs went smoothly, though. Again, thanks for the warning although i wish I had procrastinated longer (at least in time for the release announcement :-) )

Max
- Reply
Jaypee says:

19 years ago

i’ve upgraded mine to 1.5.2 :D
- Reply
markku says:

19 years ago

You mean we have register_globals turned on at ploghost? It’s sad that other developers simply ignore safe programming practices to allow their apps to run with the register_globals directive set to off. It doesn’t really take much to code that way.

Another WP update? It’s nice to see the community responding swiftly. :)
- Reply