[wp-hackers] Mysql.com cracked, possible bad PR for WordPress
Brian Layman
wp-hackers at thecodecave.com
Wed Mar 30 13:45:20 UTC 2011
On 3/30/2011 9:21 AM, Vid Luther wrote:
> So, security lists are going to have a field day with this one, and I wanted to help this community get ahead of it.
>
> First see http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter
>
> and
>
> http://pastebin.com/raw.php?i=BayvYdcP (the end of this link may be NSFW, depending on where you work).
>
> A knee jerk reaction I'm seeing in channels is that it's WordPress' fault, it's easy to blame, but it may be more a case of a known
> exploit not being patched, I'm not aware of any SQL injection vulnerabilities in the past year though.
>
> Here's wishing them all luck, and a reminder to all of you to update your installs, including PHP/apache etc :).
I think its funny that people, including Nacin yesterday :P, are just
seeing this for the first time. I posted a notice about it to wp-hackers
last week. I think there is little risk of bad PR to WordPress out of
this. Looking at the source code of the page that allowed the hack, I
don't think it is a WP generated page, though it is possible to
completely hide that these days. My guess would be that people just saw
a WordPress multisite database in the list and started babbling.
The bigger risk is that one of us used a un/pw combo on mysql that they
use everywhere else too. That's another reason to use a unique pw on
every site you log into.
--
Brian Layman
http://eHermitsInc.com
More information about the wp-hackers
mailing list