I didn't think of it that way but you're right
I didn't think of it that way but you're right
Here's the security changes:
http://core.trac.wordpress.org/chang...=11719%40trunk
Short version: The comment author email was not properly escaped, so it was/is possible to put code into there which would get displayed on the page. It was not particularly *easy* to do that, mind you, but it was still possible.
Security risk: Medium. It's an XSS bug, exploiting it is difficult but can be automated. If you allow comments, you're vulnerable. It would difficult to exploit this to gain deeper access to the site, due to the limited field size.
Most likely attack: Annoyance factor. Somebody could, for example, make a comment that caused the page to redirect when displayed.
Even if you have had trouble with the autoupgrader, you could download it directly to your webhost and unzip it in place instead of downloading it to your computer, unzipping and then uploading to your webhost. That would likely be a faster option.
Looks like WPMU has been updated as well http://mu.wordpress.org/download/
Manual upgrading is very easy and takes less then 5 minutes when I sometimes do it.
Delete the following folders and their content: wp-includes, wp-admin
Delete all loose WordPress files in the root of your install except one file: wp-config.php.
Move across new files not including folders: wp-includes, wp-admin and file wp-config-sample.php.
Go to the following link to finalize the upgrade: http://www.mysite.com//wp-admin/upgrade.php
That's it, use to do it like this all the time....
PS: Starting to like the auto-upgrade feature. Used it on about 40 sites today...
Last edited by Martin; 07-20-2009 at 12:40 PM.
Premium WordPress Hosting - WordPress Hosting, Installations and Services.
I usually just upload the whole archive and overwrite everything (I've configured FileZilla to overwrite without asking). Saves the trouble of deleting anything.
Of course that's a moot point since I always use the auto up-grader now :)
Yep, they're working hard to sync WPMU updates with WP ones as the merge gets closer.
(I'm kinda excited. Can I squee in here?)
Well auto upgrade is quite slow as well for some reason. Its not the host at its fine on other internet connections
The lord of every land, rising for them,
The Aton of the day, great of majesty.
Great Hymn of the Aton
WP TurnKey - Turn-Key WordPress installation and maintenance services
WordPress user since 2005 | @chip_bennett | chipbennett.net | cbnet Plugins
upgrade upgrade upgrade upgrade upgrad.
Did I mention upgrade?
Most of these attacks are of very lazy admins. You can't just give up after installation.
You have to maintain your site, do your backups and so forth.