In light of the recently reported cross–site scripting vulnerabilities in WordPress, version 2.0.6 has been released to address the said issues in the templates.php file as detailed in these entries from Operation N and Security Focus. (As cited in our related coverage.)
Along with the aforementioned fixes, changes were made specific to the comments system, now filtering for input that may ruin layouts and markup. Also listed in the summary of changes is the compatibility for PHP/FastCGI setups and the now functional HTML quicktags for Safari browsers.
But as of writing, the 2.0.6 update is not without problems. Mark Jaquith was quick to point out the possible problem with Feedburner feeds. Apparently, fixes made to the 2.0.5 code has triggered another problem that may affect a different set of users. He offers a solution, and cites related entries from The NeoSmart Files and K-Squared Ramblings, both with more details on the problem and more importantly, how to fix them, now. With the almost–instant response to this last–minute problem, Lorelle was quick to point out how well the community of WordPress developers are addressing reported problems and vulnerabilities.
If you’re upgrading this soon, be sure to backup your database (and files) beforehand and note whatever hacks to the core code you may have made before. I typically defer upgrading for a few more days to check for early–adopter problems like this. If you’d rather upgrade now, watch out for reports on new issues, be it security or performance–related. Again: backup, backup!
This security issue has been found in specifically on WordPress 2.0.5’s template.php allows a user with access to the templates.php to insert arbitrary HTML and/or Javascript which can be then executed by other administrators. The link title of recent accessed files is not sanitized which causes the HTML tags ending with “/” fail. Prior to 2.0.6 release, the temporary workaround is using open “IMG” tags which only works on Firefox and Internet Explorer
A few questions from a blog idiot
How do you keep the spammers from eating you alive? i\’ve seen blogs with nothing but spam postings.
How do you keep some left wing extremist from posting racist or defamatory rhetoric? and if you cant stop them, what are you legally liabel when they do?
can viruses be posted to blogs?