WordPress 2.8.5 released

Jared — Tue, 20 Oct 2009 23:24:35 +0000

WordPress 2.8.5 has been released and is up for download. Nothing exciting to see as it just addresses the exploit that was published this morning plus a few minor things. From the WordPress.org post:

A fix for the Trackback Denial-of-Service attack that is currently being seen.
Removal of areas within the code where php code in variables was evaluated.
Switched the file upload functionality to be whitelisted for all users including Admins.
Retiring of the two importers of Tag data from old plugins.

So get your installs up to date by downloading or upgrade in the admin panel!

WordPress trackback exploit found

Jared — Tue, 20 Oct 2009 16:33:55 +0000

Around 9am (CST) this morning we were alerted via the wp-hackers mailing list that there is an exploit out that affects the latest version of WordPress, v 2.8.4.

If you want to read more about all the technical stuff you can find the original blog post detailing the exploit here.

I wouldn’t say this is critical since your data is not at risk but anytime someone can put heat on your server it is not good.

No word yet if a patch is going to be released in the form of WordPress 2.8.5. There are a few fixes out already however.

There is a chunk of code you can paste into your theme’s functions.php file.

function ft_stop_trackback_dos_attacks(){
	global $pagenow;
	if ( 'wp-trackback.php' == $pagenow ){
		// DoS attack fix.
		if ( isset($_POST['charset']) ){
			$charset = $_POST['charset'];
			if ( strlen($charset) &gt; 50 ) {  die; }
		}
	}
}
add_action('init','ft_stop_trackback_dos_attacks');

There is also already a fix on trac.

Jared Atchison» wordpress exploit

WordPress 2.8.5 released

WordPress trackback exploit found