Archive for November, 2007
BackUpWordPress Remote File Include Vulnerability
A remote file include vulnerability has been found in BackupWordpress < 0.4.3.
This means if an attacker can execute code on your web server if they can access the following script directly:
http://[target]/_path]/plugins/BackUp/Archive.php
A proof of concept exploit has already been released into the wild. We suggest you upgrade as soon as possible.
Affected code:
require_once $GLOBALS['bkpwp_plugin_path'].”PEAR.php”;
A new version is [...]
Blog security for beginners
While reading ProBlogger’s "Value Blogging" today, Darren touched on something that really made me think. Alot of the Blog Security readers are fairly technical but what about those who arent?
The whole idea behind BlogSecurity is to be a value based blog where we not only share ideas, and practical know-how but also tools and resources [...]
Mustlive WordPress Vulnerability Archives
MustLive got hold of us with some of his older WordPress advisories and vulnerabilities. Alot of these have already been fixed.
WP Directory Traversal Vulnerabilities (WP 2.0.x) – More Info
WordPress MU 1.1.1 newblog XSS – More Info
WordPress Theme XSS vulnerabilities – Sirius 1.0, Blix and Blix Rus, Pool 1.0.7, Classic 1.5
WP-ContactForm – More Info
Subscribe to Comments [...]
ModSecurity and Wordpress: Defense in Depth
Daniel Cuthbert writes an excellent paper for BlogSec on securing your blog with ModSecurity.
Here’s a snippet:
Wordpress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. Unfortunately it is also missing the vital security functions that protect the application from malicious attacks. A default install of Wordpress is not [...]
