[wp-hackers] Forum Help

Matthew Thomas mpt at myrealbox.com
Sun May 15 16:34:08 GMT 2005


Podz wrote:
>...
> Fact is this - if Google's caching is going to cause WordPress users 
> problems, and if that is going to cause them to post to the forums, then 
> I'd be grateful now if someone could write the technical explanation 
> that I will be cutting and pasting dozens of times.
>...

Okay, here you go:

---8<---
A security vulnerability has been identified in WordPress that could 
allow an attacker to delete posts, pages, or comments on your Weblog, by 
getting you to click on a link. The attacker could (for example) include 
this link in a comment on your Weblog or someone else's, or send it to 
you in an HTML e-mail message.

This vulnerability may also cause posts, pages, or comments to be 
deleted, your Weblog theme to be changed, or unexpected logouts, if you 
use Google Web Accelerator or another Web accelerator tool while 
administering your WordPress site.

Until the vulnerability is patched, you can help protect yourself by 
following these steps.

1.  If you do not already have a user style sheet for your Web browser,
     follow <a href=
     "http://www.squarefree.com/userstyles/user-style-sheets.html">Jesse
     Ruderman's instructions</a> to create one. Put this text in it:
         a[href*="wp-admin/"] {
           color: purple !important;
           background-color: yellow !important;
         }
     This will cause WordPress administration links to appear as purple
     text on a yellow background.

2.  Do not click on links with purple text on a yellow background,
     unless they appear on WordPress administration pages. Even here, do
     not click them if they appear inside comments or trackbacks.

3.  If you use Google Web Accelerator, follow <a href=
     "http://webaccelerator.google.com/support.html#preferences2"
     >Google's instructions</a> to make it inactive whenever visiting
     your own Weblog, or any other Weblog that you often read comments
     in. Similarly if you use any other Web accelerator tool, configure
     it to be inactive whenever visiting your own Weblog or any other
     Weblog that you often read comments in.

4.  If you read e-mail in an e-mail program, do not click any links
     containing the text "wp-admin". If you also accept HTML e-mail, do
     not click any links in messages from people you do not know.

The vulnerability will be fixed in WordPress 1.5.2.
---8<---

Caveat: I haven't tested any of the above. (Ideally, there's something 
obvious I'm missing such that the problem doesn't affect WordPress at 
all.) So you might like to test the instructions before disseminating them.

-- 
Matthew Thomas
http://mpt.net.nz/


More information about the wp-hackers mailing list