[wp-hackers] Forum Help
Matthew Thomas
mpt at myrealbox.com
Sun May 15 16:34:08 GMT 2005
Podz wrote:
>...
> Fact is this - if Google's caching is going to cause WordPress users
> problems, and if that is going to cause them to post to the forums, then
> I'd be grateful now if someone could write the technical explanation
> that I will be cutting and pasting dozens of times.
>...
Okay, here you go:
---8<---
A security vulnerability has been identified in WordPress that could
allow an attacker to delete posts, pages, or comments on your Weblog, by
getting you to click on a link. The attacker could (for example) include
this link in a comment on your Weblog or someone else's, or send it to
you in an HTML e-mail message.
This vulnerability may also cause posts, pages, or comments to be
deleted, your Weblog theme to be changed, or unexpected logouts, if you
use Google Web Accelerator or another Web accelerator tool while
administering your WordPress site.
Until the vulnerability is patched, you can help protect yourself by
following these steps.
1. If you do not already have a user style sheet for your Web browser,
follow <a href=
"http://www.squarefree.com/userstyles/user-style-sheets.html">Jesse
Ruderman's instructions</a> to create one. Put this text in it:
a[href*="wp-admin/"] {
color: purple !important;
background-color: yellow !important;
}
This will cause WordPress administration links to appear as purple
text on a yellow background.
2. Do not click on links with purple text on a yellow background,
unless they appear on WordPress administration pages. Even here, do
not click them if they appear inside comments or trackbacks.
3. If you use Google Web Accelerator, follow <a href=
"http://webaccelerator.google.com/support.html#preferences2"
>Google's instructions</a> to make it inactive whenever visiting
your own Weblog, or any other Weblog that you often read comments
in. Similarly if you use any other Web accelerator tool, configure
it to be inactive whenever visiting your own Weblog or any other
Weblog that you often read comments in.
4. If you read e-mail in an e-mail program, do not click any links
containing the text "wp-admin". If you also accept HTML e-mail, do
not click any links in messages from people you do not know.
The vulnerability will be fixed in WordPress 1.5.2.
---8<---
Caveat: I haven't tested any of the above. (Ideally, there's something
obvious I'm missing such that the problem doesn't affect WordPress at
all.) So you might like to test the instructions before disseminating them.
--
Matthew Thomas
http://mpt.net.nz/
More information about the wp-hackers
mailing list