Archive for January, 2008
Frisco Vista blog hacked
Frisco Vista’s WordPress blog ran into some security problems. His experience can be read here.
WordPress Insecure by Design?
We have seen alot of critical vulnerabilities being discovered in WordPress core and its plugins of late, who’s to blame? This article will take a brief look into WordPress design and its core security functions.
One of the major problems I see with WordPress is that it provides little (if any) protection against input validation attacks. [...]
WP-Forum 1.7.4 SQL Injection
For Fredrik Fahlstads WP-Forum Plugin was a critical vulnerability made public. Details are available on Secunia and milw0rm.
This hole may allow an unauthenticated attacker full access to your blog and potentally your web server/host.
Input passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a [...]
WP TextLinkAds Plugin SQL Injection Vulnerability follow up
The TextLinkAds WP plugin is dynamically generated to insert the API key. I think this dynamic generation may be wrecking havoc with version numbers. I have verified this vulnerabiility in version 3.0.8.
Please do not trust the version number on your WP TextLinkAds plugin, your plugin is likely vulnerable.
The advisory has been updated accordingly.
WP TextLinkAds Plugin SQL Injection Vulnerability
David Kierznowski of BlogSecurity has found a critical vulnerability in the popular TextLinkAds plugin for WordPress. The vulnerability allows an unauthenticated, remote attacker to completely compromise your database and therefore your blog.
This is a serious security risk, and should take higher priority then what it has. I have shared various emails with TextLinkAds (starting 31 [...]
