WordPress 3.0.3 Fixes Authorization Issues
Hot on the heels of the previous update that patched an authenticated SQL injection vulnerability, WordPress have released version 3.0.3 which fixes authorization issues in the remote publishing interface. The vulnerability may allow Author and Contributor-level users to improperly edit, publish, or delete posts. WordPress state:
These issues only affect sites that have remote publishing enabled.
I would also add that these issues only affect sites that actually have Author and Contributor-level users. If you’re the only user of your blog, you don’t need to be worried (but update anyway).
Remote publishing is enabled and disabled in Settings > Writing > Remote Publishing.
WordPress <= 3.0.1 Authenticated SQL Injection 0day [Patched]
WordPress 2.x – 3.0.1 is vulnerable to an authenticated SQL injection 0day. A lack of proper input validation in the do_trackbacks() function of wp-includes/comment.php allows any logged-in user with publish_posts and edit_published_posts privileges (Author group) to execute arbitrary SELECT SQL queries on the database.
This vulnerability can be exploited by entering a specially-crafted string into the Send Trackbacks field when editing a post. The effect of exploitation is that the user may be able to extract arbitrary information, such as usernames and password hashes, from the database.
What this means to WordPress users:
- If you are the only user (post author) on your blog, then you don’t have to worry.
- If you have other users Author privileges, then they could use this to extract information from your database (including your password hash).
- You can temporarily mitigate this by revoking Author privileges from any users you don’t fully trust.
- All WordPress users are encouraged to update to version 3.0.2 which patches this vulnerability.
See this post for full details.
Loading ...
