WordPress 2.1.1 hazardous, Update to 2.1.2 – San Francisco

WordPress 2.1.1 hazardous, Update to 2.1.2 – San Francisco

Lengthy tale brief: If you downloaded and install WordPress 2.1.1 within the previous 3-4 days, your documents might consist of a safety and security make use of that was included by a biscuit, and also you must update every one of your documents to 2.1.2 quickly.

Longer description: Today we got a note to our safety and security mailing address regarding uncommon and also very exploitable code in WordPress. The problem was checked out, and also it showed up that the 2.1.1 download had actually been changed from its initial code. We took the site down quickly to examine what took place.

It was figured out that a biscuit had actually gotten user-level accessibility to among the web servers that powers wordpress.org, and also had actually made use of that accessibility to change the download documents. We have actually secured down that web server for more forensics, yet right now it shows up that the 2.1.1 download was the only point touched by the assault. They changed 2 documents in WP to consist of code that would certainly enable remote PHP implementation.

This is the example you hope never ever occurs, yet it did and also currently we’re taking care of it as ideal we can. Although not all downloads of 2.1.1 were influenced, we’re proclaiming the whole variation hazardous and also have actually launched a new version 2.1.2 that consists of small updates and also totally confirmed documents. We are likewise taking great deals of steps to make certain something similar to this can not occur once again, not the least of which is specifically exterior confirmation of the download bundle so we’ll understand quickly if something fails for any type of factor.

Lastly, we reset passwords for a variety of individuals with SVN and also various other accessibility, so you might require to reset your password on the forums prior to you can login once again.

What You Can Do to Aid

If your blog site is running 2.1.1, please upgrade quickly and also do a complete overwrite of your old documents, particularly those in wp-includes. Take a look at your pals blog sites and also if any one of them are running 2.1.1 decline them a note and also, if you can, lend a hand and also assist them with the upgrade.

If you are a webhosting or network manager, block accessibility to “theme.php” and also “feed.php”, and also any type of inquiry string with “ix=” or “iz=” in it. If you’re a consumer at a webhosting, you might wish to send them a note to allow them understand about this launch and also the above info.

Many Thanks to Ryan, Barry, Donncha, Mark, Michael, and also Dougal for overcoming the evening to find out and also resolve this trouble, and also many thanks to Ivan Fratric for reporting it to begin with.

Concerns and also Solutions

As a result of the very uncommon nature of this occasion and also launch, we have actually established an e-mail address 21securityfaq@wordpress.org that you can email inquiries to, and also we’ll be upgrading this access with even more info throughout the day.

Is variation 2.0 influenced?

No downloads were modified other than 2.1.1, so if you have actually downloaded and install any type of variation of 2.0 you must be great.

Suppose we upgrade from SVN?

Absolutely Nothing in the Subversion database was touched, so if you update and also preserve your blog site through SVN there is no opportunity you downloaded and install the damaged launch documents.


Cogknockers is a San Francisco WordPress Development Agency with 20+ Years Experience.  WordPress Design is at the core of our services.

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Recent News

0

Scroll to Top