There is an upcoming security update to WordPress which should be released today.
A vulnurability was found in the WordPress trackback code that could allow attacks to DDoS your site. Should you be scared? No. So why am I not scared about this bug? If someone wanted to DDoS my site, they would. They don’t need WordPress to do it.
In the mean time while WordPress is still being updated, here are a couple quick fixes to secure your site. Add this to your httpd.conf Apache conf file for your site or your .htaccess file:
[sourcecode]<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>[/sourcecode]
Alternatively, you can edit your wp-trackback.php file.
Here is the changelog to patch the security hole.
[sourcecode]— a/branches/2.8/wp-trackback.php
+++ b/branches/2.8/wp-trackback.php
@@ -51,5 +51,5 @@
if ($charset)
<em>- $charset = strtoupper( trim($charset) );</em>
<strong>+ $charset = str_replace( array(‘,’, ‘ ‘), ”, strtoupper( trim($charset) ) );</strong>
else
$charset = ‘ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS’;[/sourcecode]
There were other small bug fixes, here is a list of changes:
- Fix for trackback DOS
- Removal of permalink_structure eval
- Remove some create_function() calls
- Disallow unfiltered uploads for admins by default. Enable it again with define(’ALLOW_UNFILTERED_UPLOADS’, true); in wp-config.php
- Add extra escaping here and there for defense in depth
- Retire two old importers
- A few small bug fixes
Popularity: 1% [?]
No related posts.
