Upgraded to WordPress 2.3.3 ‘Coz of Security Issues, Again!
Went to the Aussie Bloggers forums this morning and spotted this post on an urgent WordPress upgrade (yes, I usually troll in the forums early in the morning instead of reading RSS feeds). WordPress 2.3.3 has been released fixing a few minor bugs and a security issue. Yes, again — less than two months after WordPress 2.3.2 was released that fixed an issue exposing your draft posts. WordPress of 2008 almost felt like phpBB2 of 2005 to me.
Yes. Please call all your friends who have a self-hosted WordPress blogs and get them to upgrade to the very latest version.
To see what has been changed from WordPress 2.3.2 to 2.3.3, you can use the following Subversion commands:
$ svn diff --old=http://svn.automattic.com/wordpress/tags/2.3.2 \
--new=http://svn.automattic.com/wordpress/tags/2.3.3
Which includes the diff of the five files that have been changed. The biggest change came from xmlrpc.php, in change set 6715, where Ryan tries to fix this security issue (yes the ticket was opened in November last year and only managed to get fixed yesterday, 3 months later). Basically, capability checking is done before determining whether the operation is editing a post — if post type is “post”. So any account can edit posts and pages via XML-RPC by faking post type as “page”. For more detail on this exploit, see The Seeker Blog, and it appears to be “going wild” at the moment.
The fix also only comes in 2.3 flavour, whereas the concept of “page” has been there in WordPress since 2.0. That also means, all you 2.0/2.1/2.2 users are still vulnerable. You have to upgrade to the latest stable branch, although not all existing plugins and themes work with 2.3…
I think I am starting to agree with Mark…
Links to This Article
Comments
Matt,
Thanks for the clarification, especially on how the ticket was updated. No, I am not being angry, but frustrated. It is easy for me to keep up with WordPress development and new releases, but (due to WP’s popularity) there might be millions of blogs out there that are not patched because they were installed by Fantastico and alike. A few days ago I have to report to PodShow that some of their blogs were hacked — and I thought they are big and tech-savvy enough to know that they need to keep up to date? Not entirely WordPress’ fault, but frustrating nevertheless.
Sorry that I did not know the official stable branches are 2.0 and 2.3. I have just checked the code and it appears 2.0/2.1 are not affected but 2.2/2.3.2 are.
Thanks again for the explanation.
Man it frustrates me too. Hopefully with the update notification added in 2.3 and the one-click upgrades coming in 2.5 we’ll get more people updating when we do a release.
I think you also have a good point that we need to put pressure on the hosts and Fantastico to take responsibility for the blogs that they set up and stay current with releases.
not all wordpress sucks, just the diy version ;)
XML-RPC?
unsupported branches?
security issues?
$ svn diff?
2.1/2.2?
“there might be millions of blogs out there that are not patched because they were installed by Fantastico and alike”
holy cow, I wouldn’t wish that stuff on my worst enemy and certainly never recommend it to a non programmer, yet it’s still the one of the most popular blogging solutions? crazy world.
Add a comment
Gravatar is used. Email address is required but will not be displayed. Please keep your comment on topic. No spamming and/or bad language. First time poster will be moderated. Scott reserves the right to delete/edit your comments.
Playground is the personal weblog of Scott Yang, a Chinese-Australian Christian who works as a software developer in Sydney Australia.
It’s sounds like you’re pretty angry about this release, and it always sucks to have to do one due to security, but let me clarify two things.
The ticket is a little confusing, even though the issue was opened up 3 months ago there was not enough information to identify the issue and it was closed. The original poster said as much on wp-hackers the other day. When the new issue came to light Lloyd Budd edited the ticket to update it with the new information, and the fix was there within hours, not months later as it may look from the ticket.
The problem doesn’t apply to 2.0 users, which is the stable branch we’ve committed to maintaining through 2010. 2.1/2.2 are both unsupported branches, I don’t think they’re affected by this issue but they probably have others, you should be running either 2.0.latest or 2.3.latest. You could also protect your blog from this and the previous issue you refer to by turning off open registration, which is actually off by default when you install WP.
Do you have any more questions about the release I could answer? I’m happy to try my best to clarify what the situation is and what the thinking was behind issues.