Update: WordPress 1.5.2 now available.
Found out last Friday that WordPress had a securtiy update for its 1.5.1.3 version that involved the register_globals settings.
They posted an updated information in the WordPress forums:
WordPress version 1.5.1.3 is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to (try to) execute code on the victim’s account.
Here are some recommended steps that should be taken to secure your WP account:
To use the revised wp-settings.php file, please first make a backup copy of your existing /wp-includes/wp-settings.php file, then simply transfer the new version to the /wp-includes/ directory on your site.
We strongly encourage security in depth. In addition to the fix above, you are encouraged to disabled register_globals for your site. Most users will be able to edit your .htaccess file, and place this at the very top: php_flag register_globals off
If you control the server, you may edit php.ini and disable register_globals. You will need to restart the webserver after making this change.
Everyone is strongly encouraged to update their WordPress installation as indicated above. I suggest doing the 1st and second option.
Note to plogHost clients: Although we can turn off register_globals on all servers, a whole lot of other applications that require it to be “on” may be affected and may not work.
You mean we have register_globals turned on at ploghost? It’s sad that other developers simply ignore safe programming practices to allow their apps to run with the register_globals directive set to off. It doesn’t really take much to code that way.
Another WP update? It’s nice to see the community responding swiftly. :)
i’ve upgraded mine to 1.5.2 :D
Yuga,
WordPress released version 1.5.2 just a few minutes after I did the fixes :-( . The update to my, my wife’s and our Newsletter Solutions blogs went smoothly, though. Again, thanks for the warning although i wish I had procrastinated longer (at least in time for the release announcement :-) )
Max
Apparently, they forgot to change the version number in the headers. Mine still sports the version 1.5.1.3. I leave that for stats. hehehe
Yuga,
Thanks for the warning.
Max
i tried to upload the new wp-settings.php file and got this error message –
Parse error: parse error, unexpected T_LNUMBER in /home/prolifik/public_html/blog/wp-settings.php on line 91
Yeah they say that, but then their instructions say
“then simply transfer the new version to the /wp-includes/ directory on your site.”
People who follow their instructions word for word will run into obvious problems.
same goes for me..my wp-settings.php file is found in the root folder and not inside the wp-includes folder.
wp-includes/settings.php is mentioned as the back-up. :)
wp-settings.php is actually in the WordPress root (/) and not in wp-includes/. At least it is on mine.