Security Ripcord

Site Taken Down For Wordpress Security Problem

July 31st, 2006 cutaway Posted in Blogging, Security, Wordpress | No Comments » 718 views

Some of you may have noticed that the site was down for a couple of days. This was because of an apparent flaw with Wordpress. While I was attending the ACUTA conference in San Diego I decided to catch up on the news. I am glad that I did because I noticed that Darknet had an entry about a newly discovered security vulnerability with all versions of Wordpress below 2.0.4 . Unfortunately his actual site was down and I was not able to read the full article. So I made a quick judgment call and decided to take the site down until I understood more about what was actually happening.

Now that the Darknet site is back up, and I am able to get online, I see that the problem lies in allowing anybody to register for an account. I am not actually sure of the exact problem except that it would lead to escalated privileges for the user. As stated in his article the temporary fix for the problem is to not check the "Anyone can register" box in the "Options" management tab. I have verified that I had already disabled this setting and now that site is back up. I will, however, update to the new version of Wordpress which is version 2.0.4 once I get a chance (i.e. after I back everything up ). You should do this as well.

Go forth and do good things.
Cutaway

Technorati Tags , , , ,
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

« Burning Through Technology
Letter to Santa on Security 2.0 »