Home Forum Advertise Contact Me About WPTavern WPWeekly Show Info

Go Back   WordPress Tavern Forum » WordPress » General WordPress

General WordPress Talk about news, share great posts and more

Reply
 
Share LinkBack Thread Tools Display Modes
Old 07-20-2009, 10:03 AM
Jeffro's Avatar
WPTavern Forum Admin
 
About
Join Date: Jan 2009
Location: Ohio
Posts: 1,703
Send a message via AIM to Jeffro Send a message via Skype™ to Jeffro
Default

I didn't think of it that way but you're right
Reply With Quote
Old 07-20-2009, 10:13 AM
Otto's Avatar
Kegger
 
About
Join Date: Apr 2009
Location: Memphis, TN
Posts: 512
Default

Here's the security changes:
http://core.trac.wordpress.org/chang...=11719%40trunk

Short version: The comment author email was not properly escaped, so it was/is possible to put code into there which would get displayed on the page. It was not particularly *easy* to do that, mind you, but it was still possible.

Security risk: Medium. It's an XSS bug, exploiting it is difficult but can be automated. If you allow comments, you're vulnerable. It would difficult to exploit this to gain deeper access to the site, due to the limited field size.

Most likely attack: Annoyance factor. Somebody could, for example, make a comment that caused the page to redirect when displayed.
Reply With Quote
Old 07-20-2009, 12:40 PM
joetek's Avatar
Hello World
 
About
Join Date: Feb 2009
Location: Toronto, Ontario
Posts: 54
Default

Even if you have had trouble with the autoupgrader, you could download it directly to your webhost and unzip it in place instead of downloading it to your computer, unzipping and then uploading to your webhost. That would likely be a faster option.

Looks like WPMU has been updated as well http://mu.wordpress.org/download/

Joe Taiabjee
work: b5media.com - blog: joetek.ca - twitter: @joetek
Reply With Quote
Old 07-20-2009, 01:35 PM
Martin's Avatar
Hello World
 
About
Join Date: Jun 2009
Location: Sydney, Australia
Posts: 93
Default

Manual upgrading is very easy and takes less then 5 minutes when I sometimes do it.

Delete the following folders and their content: wp-includes, wp-admin

Delete all loose WordPress files in the root of your install except one file: wp-config.php.

Move across new files not including folders: wp-includes, wp-admin and file wp-config-sample.php.

Go to the following link to finalize the upgrade: http://www.mysite.com//wp-admin/upgrade.php

That's it, use to do it like this all the time....

PS: Starting to like the auto-upgrade feature. Used it on about 40 sites today...

Last edited by Martin; 07-20-2009 at 01:40 PM..
Reply With Quote
Old 07-20-2009, 02:33 PM
itsananderson's Avatar
Big Tipper
 
About
Join Date: Jan 2009
Location: Terre Haute, IN
Posts: 321
Send a message via Skype™ to itsananderson
Default

I usually just upload the whole archive and overwrite everything (I've configured FileZilla to overwrite without asking). Saves the trouble of deleting anything.

Of course that's a moot point since I always use the auto up-grader now :)
Reply With Quote
Old 07-20-2009, 04:13 PM
andrea_r's Avatar
WPTavern Forum Moderator
 
About
Join Date: Jan 2009
Location: Eastern Canada
Posts: 907
Default

Yep, they're working hard to sync WPMU updates with WP ones as the merge gets closer.

(I'm kinda excited. Can I squee in here?)
Reply With Quote
Old 07-21-2009, 02:58 AM
conorp's Avatar
Patron
 
About
Join Date: Jan 2009
Location: Australia
Posts: 462
Send a message via AIM to conorp Send a message via MSN to conorp Send a message via Skype™ to conorp
Default

Well auto upgrade is quite slow as well for some reason. Its not the host at its fine on other internet connections

The lord of every land, rising for them,
The Aton of the day, great of majesty.

Great Hymn of the Aton
Reply With Quote
Old 07-21-2009, 11:19 AM
chipbennett's Avatar
WordPress Rockstar
 
About
Join Date: Feb 2009
Location: St. Louis, MO
Posts: 1,007
Send a message via ICQ to chipbennett Send a message via AIM to chipbennett Send a message via MSN to chipbennett Send a message via Yahoo to chipbennett Send a message via Skype™ to chipbennett
Default

Quote:
Originally Posted by Jeffro View Post
Annnd 2.8.2 is out the door which fixes a XSS vulnerability

http://wordpress.org/development/200...rdpress-2-8-2/
Finally had time to auto-upgrade today. All went smoothly, as is, by now, expected.

@chip_bennett | chipbennett.net (est. 2000) | WordPress user since May, 2005 | Linux (Kubuntu) user since September, 2007
cbnet Plugins
Reply With Quote
Old 07-22-2009, 11:27 PM
Here For The Peanuts
 
About
Join Date: May 2009
Location: Toronto, Canada
Posts: 104
Default

upgrade upgrade upgrade upgrade upgrad.

Did I mention upgrade?

Most of these attacks are of very lazy admins. You can't just give up after installation.

You have to maintain your site, do your backups and so forth.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 03:08 AM.