moeffju.net

Upgrade to WordPress 2.1.2 now

02 Mar, 07

Update: The announcement is out. The important part is:

[…] a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file […]

Nothing in the Subversion repository was touched, so if you upgrade and maintain your blog via SVN there is no chance you downloaded the corrupted release file.

This is the kind of thing you don’t want to happen to anyone. Kudos to the WordPress guys for their quick reaction.

Original entry below.

The following mail was just posted to the WordPress mailing lists, as a reaction to this security advisory. There are multiple XSS vulnerabilities in WordPress <= 2.1.1 — inserted by a cracker — and an upgrade is urgently recommended.

Subject: Upgrade to 2.1.2
From: Matt Mullenweg m at mullenweg.com
Date: Fri Mar 2 19:41:35 GMT 2007

Hello everyone.

If anyone is running 2.1.1, or knows someone who is, I would recommend
upgrading to 2.1.2 as soon as possible. It is now available at
http://wordpress.org/download/

The md5 of the tar.gz is b1ae0c152e60300cba8c40c030baafd4.

No announcement quite yet, but coming soon. Thanks for your help.

Read the full announcement on wordpress.org.

0 Comments

tags General, Web, WordPress, Software, Security and Bugfix

WordPress 2.1-alpha3 and Ultimate Tag Warrior

25 Dec, 06

If you’re running WordPress 2.1 trunk from SVN (currently at 2.1-alpha3, r4663) with Ultimate Tag Warrior (UTW) 3.141592 (the latest version as of today), UTW will lose all tags on a post when a new comment is made.

To fix this, edit the ultimate-tag-warrior-actions*.php files (in your UTW directory, there should be one -actions.php and one -actions-wordpress2.php, simply edit both). In the function ultimate_save_tags($postID), add the following lines right after the opening curly bracket:

    if (!is_admin()) return $postID;
    if (!isset($_POST['tagset'])) return $postID;

Save the files and you should be all set.

The problem occurs because WordPress trunk calls the edit_post hook when new comments are added. UTW doesn’t check the environment and just assumes the admin wanted to delete all tags, and then dutifully removes the tags from the post.

The fix just does nothing when the edit_post hook gets called from outside the admin publish area.

Update: See also Thomas’ comment for the latest UTW version.

33 Comments

tags WordPress, Code, Ultimate-Tag-Warrior and Bugfix