Kakkoi » patch http://42.kaizeku.com web development, software, windows tips and trick Sat, 12 Jul 2008 15:10:01 +0000 http://wordpress.org/?v=2.6 en WordPress 2.3.3 Security Release http://42.kaizeku.com/wordpress/wordpress-233-security-release/ http://42.kaizeku.com/wordpress/wordpress-233-security-release/#comments Tue, 05 Feb 2008 06:01:34 +0000 Noah Ark http://blog.kakkoi.net/wordpress/wordpress-233-securities-release/

wordpress small logoWordpress 2.3.3 fixes a few minor bugs and the debatable Wordpress 2.3.2 XMLRPC vulnerability. It took 4 months to track the XMLRPC exploit and 1 days for the patch to be release. Kudos to WordPress Developer especially Ryan & Joseph Scott for these quick security release.

Wordpress 2.3.2 XMLRPC vulnerability patches by josephscott

External Links

]]> http://42.kaizeku.com/wordpress/wordpress-233-security-release/feed/ Wordpress 2.3.2 XMLRPC Exploit Unofficial Patch http://42.kaizeku.com/wordpress/wordpress-232-xmlrpc-exploit-unofficial-patch/ http://42.kaizeku.com/wordpress/wordpress-232-xmlrpc-exploit-unofficial-patch/#comments Sat, 02 Feb 2008 21:32:51 +0000 Noah Ark http://blog.kakkoi.net/wordpress/wordpress-232-xmlrpc-exploit-unofficial-patch/

this is relevant to my interest lolcatThis issue has been raised 4 months ago (october 2007). Certainly this is one of BadPress Ticketing Problems. Until WordPress Developer release Official securities fix (v 2.3.2.1 || 2.3.5 ?? ) You might want to try this “debatable” patch by SecuriTeam - Paul (Yabba) Jones.

Note: Matt Mullenweg & the WP-Hackers is against secureTeam “hasty-patch” and their POC release. [wp-hackers] xmlrpc issue or no?.

Excerpt from Wordpress Support Forum » iframe injection problem?

Matt Mullenweg → [...] I would rather not have people think they’re safe and really not be, and there is a release coming shortly anyway. [...]
If anyone is scared and wants a fix NOW, they should either turn off registration (which is off by default) or delete xmlrpc.php. ~ Feb 3, 2008

WordPress 2.3.3 has been release it’s advice not to try this patches

Patch xmlrpc.php via WordPress Admin

  1. Login to Wordpress Admin
  2. manage-files-xmlrpc.png Goto Manage » Files then scroll down to “Other Files” sections, type in xmlrpc.php. otherwise type the following URL in your browser address-bar ↓ 
    mydomain.com/wp-admin/templates.php?file=xmlrpc.php&submit=Edit+file+%C2%BB
  3. Find the following code (around Line 1151 - 1203 ) within wp_xmlrpc_server::mw_editPost() class methods ↓ 
    if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
  4. Replace with 
    //if ( ( 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )
 if ( ( 1 || 'post' == $post_type ) && !current_user_can('edit_post', $post_ID) )

    saved.

  5. Disabled New User Registrations for temporary.

External Links

]]> http://42.kaizeku.com/wordpress/wordpress-232-xmlrpc-exploit-unofficial-patch/feed/