Archive for June, 2007
Why start a blog?
BlogSecurity introduces an article by Sarah Turner:
Sarah Turner is a BA Hons in Business Studies and currently works as a Marketing Manager; she has speciliased in the IT security sector for almost 2 years.
About 120,000 new blogs are created worldwide each day, equating to roughly 1.4 for every second of every day. It’s no [...]
WordPress 2.2.1 Released
WordPress 2.2.1 has been released which addresses a number of bugs as well as some critical security vulnerabilities which include:
Remote shell injection in PHPMailer
Remote SQL injection in XML-RPC Discovered by Alexander Concha.
Unescaped attribute in default theme
The latest version can be downloaded here.
Hardening WordPress with htaccess
Update:
08/10/07 – Improved methods for allowing Democracy Plugins and better wp-admin code.
16/08/07 – New Rules
A few emails have come through about how user’s WordPress installations have been compromised, or where an attacker has found resources he/she shouldn’t have. This article will discuss some security techniques to better harden and secure your WordPress blog; this is [...]
WordPress Default Theme XSS
Philipp Heinze of PhSoftware informed BlogSecurity of a flaw that has been found in the WordPress default theme that ships with WordPress <=2.2; John Smith is credited for the discovery.
The Vulnerable Code
Filename functions.php, line 387:
<form style=”display: inline” method=”post” name=”hicolor”
id=”hicolor” action=”<?php echo $_SERVER['REQUEST_URI']; ?>”>
Temporary Fix
As always, please make a backup before trying any fix.
Find line 387 [...]
New Release: WordPress Scanner
WordPress Scanner v1.1 has been released:
The new release includes an XSS vulnerability check for WordPress templates, as well as a number of bug fixes.
The tool is available here.
