A wordpress bug lets people read your draft posts with future timestamps, as well as get hidden information about your database table structure and limits! WordPress version 2.3.2 is now released and fixes these important security issues.
The WordPress 2.3.2 security release will fix bugs that expose your draft posts, fixes error messages that can give away information about your database table structure and limits and stops some information leaks in the XML-RPC and APP implementations.
Michael Brooks reported it at Bugtraq
The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.
….
The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created.
The bug has highlighted how easily you could read what ShoeMoney or Problogger is going to post tomorrow! Simply modify the url below and behold the bug for any blog …http://www.yourblogname.com/?x=wp-admin/&paged=1
I tried it on my blog and was unable to see any future posts because I use search engine friendly permalinks and this bug fails on them.
Download WordPress 2.3.2 now and secure your blog and avoid hackers to see your future posts and database details. See the changes between 2.3.1 and 2.3.2 and you can easily update only those changed files by FTP and secure wordpress in minutes.
Related articles you might like ...
没有评论:
发表评论