Blogging tool users still waiting for security fix

Users are waiting for an update for the hypertext preprocessor (PHP)-based open source blogging tool WordPress, to fix security vulnerabilities identified in the software last week.

Security consultant Secunia has advised WordPress users to consider alternatives because of the vulnerabilities, which can be exploited by malicious hackers to conduct cross-site scripting (CSS) attacks and redirect users to sites under their control.

Citing researcher Thomas Waldegger's warning last Wednesday, Secunia reported: "Input passed to certain parameters in various scripts isn't properly verified before it is returned to the user.

"This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of an affected site by tricking the user into visiting a malicious website or follow a specially crafted link."

On its forums WordPress expressed disappointment that Waldegger apparently bypassed usual courtesy by publishing his advisory only shortly after warning the firm of his discovery.

WordPress said in a post: "The [development team] were made aware of this shortly before the public announcement, and we were already working on fixes before the information was released to the public.

"We are disappointed that we were not given the opportunity to release fixes for the problems before the information was made public, as is the usual courtesy in the security community. However, that's water under the bridge at this point.

"Expect a WordPress 1.2.1 release soon, which will address these issues. We're including a few other minor bugfixes while we're at it."

Although the vulnerabilities have been given a rating of 'less critical' by Secunia, some users are still nervous.

One posted to the WordPress forum this morning: "I've tried to read up on XSS aka CSS, trying to figure out exactly what this vulnerability will let people do, either to or through my site. I still really don't know.

"But I do know that every minute my site remains unpatched (I don't know how to do it, other than take it offline) is another minute of anxiety. I figure it's just a matter of time until some bot sends the word back that my site's ripe for the picking."

Be sure to check out blogs on vnunet.com