WordPress 2.8.1 fixes many bugs and tightens security for plugin administration pages. Core Security Technologies notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe...
via WordPress › Blog » WordPress 2.8.1.
Oggi più che mai l'occhio viene cade sulla questione security molto ricca di vulnerabilità (ora patchate):
- 2009-06-04: Core Security Technologies notifies the WordPress team of the vulnerabilities (security@wordpress.org) and offers a technical description encrypted or in plain-text. Advisory is planned for publication on June 22th.
- 2009-06-08: Core notifies again the WordPress team of the vulnerability.
- 2009-06-10: The WordPress team asks Core for a technical description of the vulnerability in plain-text.
- 2009-06-11: Technical details sent to WordPress team by Core.
- 2009-06-11: WordPress team notifies Core that a fix was produced and is available to Core for testing. WordPress team asserts that password and username discrimination as well as username leakage are known and will not be fixed because they are convenient for the users.
- 2009-06-12: Core tells the WordPress team that the patch will be tested by Core as a courtesy as soon as possible. It also requests confirmation that WordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to the flaws included in the advisory draft CORE-2009-0515.
- 2009-06-12: WordPress team confirms that WordPress 2.8 and earlier plus WordPress.com are vulnerable to the flaws included in the advisory draft.
- 2009-06-17: Core informs the WordPress team that the patch is only fixing one of the four proof of concept abuses included in the advisory draft. Core reminds the WordPress team that the advisory is scheduled to be published on June 22th but a new schedule can be discussed.
- 2009-06-19: Core asks for a new patched version of WordPress, if available, and notifies the WordPress team that the publication of the advisory was re-scheduled to June 30th.
- 2009-06-19: WordPress team confirms they have a new patch that has the potential to break a lot of plugins.
- 2009-06-29: WordPress team asks for a delayance on advisory CORE-2009-0515 publication until July 6th, when WordPress MU version will be patched.
- 2009-06-29: Core agrees to delay publication of advisory CORE-2009-0515 until July 6th.
- 2009-06-29: Core tells the WordPress team that other administrative PHP modules can also be rendered by non-administrative users, such as module admin-post.php and link-parse-opml.php.
- 2009-07-02: WordPress team comments that admin.php and admin-post.php are intentionally open and plugins can choose to hook either privileged or unprivileged actions. They also comment that unprivileged access to link-parse-opml.php is benign but having this file open is bad form.
- 2009-07-02: Core sends the WordPress team a new draft of the advisory and comments that there is no capability specified in Worpress documentation for configuring plugins. Also control of actions registered by plugins is not enforced. Core also notices that the privileges unchecked bug in admin.php?page= is fixed on WordPress 2.8.1-beta2 latest development release.
- 2009-07-06: Core requests WordPress confirmation of the release date of WordPress 2.8.1 and WordPress MU 2.8.
- 2009-07-07: WordPress team confirms that a release candidate of WordPress 2.8.1 is made available to users and that the advisory may be published.
- 2009-07-06: Core requests WordPress confirmation of the release date of WordPress MU and WordPress MU new version numbers.
- 2009-07-07: WordPress team release WordPress 2.8.1 RC1 to its users.
- 2009-07-08: WordPress team confirms that WordPress MU 2.8.1 will be made available as soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.
- 2009-07-08: The advisory CORE-2009-0515 is published.
Qui trovate la lista completa con i relativi dettagli.
Aggiornare Please! :)
0 Comment:
Posta un commento