[wp-hackers] Mysql.com cracked, possible bad PR for WordPress

Brian Layman wp-hackers at thecodecave.com
Wed Mar 30 13:45:20 UTC 2011

On 3/30/2011 9:21 AM, Vid Luther wrote:
> So, security lists are going to have a field day with this one, and I wanted to help this community  get ahead of it.
> First see http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter
> and
> http://pastebin.com/raw.php?i=BayvYdcP (the end of this link may be NSFW, depending on where you work).
> A knee jerk reaction I'm seeing in channels is that it's WordPress' fault, it's easy to blame, but it may be more a case of a known
> exploit not being patched, I'm not aware of any SQL injection vulnerabilities in the past year though.
> Here's wishing them all luck, and a reminder to all of you to update your installs, including PHP/apache etc :).
I think its funny that people, including Nacin yesterday :P, are just 
seeing this for the first time. I posted a notice about it to wp-hackers 
last week.  I think there is little risk of bad PR to WordPress out of 
this. Looking at the source code of the page that allowed the hack, I 
don't think it is a WP generated page, though it is possible to 
completely hide that these days. My guess would be that people just saw 
a WordPress multisite database in the list and started babbling.

The bigger risk is that one of us used a un/pw combo on mysql that they 
use everywhere else too.  That's another reason to use a unique pw on 
every site you log into.

Brian Layman

More information about the wp-hackers mailing list