[wp-hackers] Security alert for WP 1.5.1.3

Frederic de Villamil fdevillamil at gmail.com
Wed Aug 10 13:54:22 GMT 2005



On Wed, 10 Aug 2005 08:41:12 -0500, Lorelle VanFossen wrote
> Me no expert, just passing on info.
> 
> Security Issue: http://secunia.com/advisories/16386/
> WordPress Forum first post: http://wordpress.org/support/topic/41464
> 
> DrBacchus says: Nobody should have register_globals enabled. Yes,
>  it's icky and the bug should be fixed, but the responsibility also 
> lies with the server admin. register_globals is the devil.    relle  
>   DrBacchus: could a plugin turn on the globals? DrBacchus    relle: 
> it can be turned on in a .htaccess file, so, presumably a plugin 
> could do that.
> 
> Fix: In .htaccess add a line for php_flag register_globals off
> 
> Lorelle

drBacchus is right, but in real life things aren't that simple.
A lot of companies use old PHP applications that needs registers globals to be
enabled, and a lot of PHP developpers are unaware of security issues. On the
other hand, a lot of webservers having register globals set to on won't allow
a vhost / website to use .htaccess.
The best is to patch the code for the next release to avoid 
1/ stupid people to get owned because of our beloved application
2/ Wordpress become the next "bugtraq exploit of the day" every week like
phpNuke / gallery / phpBB / wu-ftpd are or used to be.

--
Frédéric de Villamil
Ce qui est à moi est à moi, ce qui est à toi ça se négocie. (proverbe motokiste)
http://www.eretzvaju.org



More information about the wp-hackers mailing list