Archive for June, 2006
WordPress Remote Command Execution
by paul on Jun.03, 2006, under Computing
|
The SANS Institute has unconfirmed reports that all WordPress version (2.0.2 and prior) are vulnerable to a remote command execution vulnerability and an IP spoofing attack. By sending a specially-crafted request, an attacker can cause servers which open user registration or open account information modification to execute arbitrary commands with the privilege of the web server process. |
|
| A flaw in the processing of client request headers allows the attacker to spoof their source IP in the WordPress logs, although web server logs should remain unaffected. | |
| Updated Saturday June 3rd | |
| WordPress 2.0.3 is now available for download to address this exploit. The upgrade worked flawlessly in less than 5 minutes. | |
![[WordPress]](/wp-content/uploads/2007/03/10/wordpress-logo.png){kind=logo}
