Archive for December, 2007
bs-wp-noerrors: removing WordPress DB errors
This plugin is now deprecated as of WordPress 2.3.2. WordPress 2.3.2 has error messages disable by default. This plugin may still be useful for those running older versions.
WordPress by default has error messaging turned on:
function show_errors() {
$this->show_errors = true;
[...]
Wordpress 2.3.1 Charset SQL Injection Vulnerability
Abel Cheung has discovered yet another vulnerability in WordPress.
It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.
Currently known character sets [...]
WordPress 2.3.1 SQL Injection Vulnerability
Update: 10/12/07 This vulnerability has been downgraded to an information disclosure vulnerability ONLY as no proof of concept exploit has been possible. This is contrary to the original advisory. More info here.
A new SQL Injection vulnerability may have been discovered in WordPress 2.3.1. This is a critical security risk that may allow an attacker to [...]
Failing to prepare
It seems that security tips for our software often extend to keep up to date with your software. This strategy alone, means two things:
You can trust everyone everywhere to responsibly disclose vulnerabilities to your vendor;
When a new release is made public, the race is on… will you upgrade before the attacker diff’s the packages and [...]
DNS Problems
Some of you may noticed BlogSec has been down the last couple days, this was due to DNS problems from the recent move which has still not been resolved, however, we have setup some other DNS servers as a temporary measure until we can get the problem resolved with our ISP.
