All the latest UK technology news, reviews and analysis
|
|
|
04 Oct 2004
Users are waiting for an update for the hypertext preprocessor (PHP)-based open source blogging tool WordPress, to fix security vulnerabilities identified in the software last week.
Security consultant Secunia has advised WordPress users to consider alternatives because of the vulnerabilities, which can be exploited by malicious hackers to conduct cross-site scripting (CSS) attacks and redirect users to sites under their control.
Citing researcher Thomas Waldegger's warning last Wednesday, Secunia reported: "Input passed to certain parameters in various scripts isn't properly verified before it is returned to the user.
"This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of an affected site by tricking the user into visiting a malicious website or follow a specially crafted link."
On its forums WordPress expressed disappointment that Waldegger apparently bypassed usual courtesy by publishing his advisory only shortly after warning the firm of his discovery.
WordPress said in a post: "The [development team] were made aware of this shortly before the public announcement, and we were already working on fixes before the information was released to the public.
"We are disappointed that we were not given the opportunity to release fixes for the problems before the information was made public, as is the usual courtesy in the security community. However, that's water under the bridge at this point.
"Expect a WordPress 1.2.1 release soon, which will address these issues. We're including a few other minor bugfixes while we're at it."
Although the vulnerabilities have been given a rating of 'less critical' by Secunia, some users are still nervous.
One posted to the WordPress forum this morning: "I've tried to read up on XSS aka CSS, trying to figure out exactly what this vulnerability will let people do, either to or through my site. I still really don't know.
"But I do know that every minute my site remains unpatched (I don't know how to do it, other than take it offline) is another minute of anxiety. I figure it's just a matter of time until some bot sends the word back that my site's ripe for the picking."
Be sure to check out blogs on vnunet.com
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Sneak peek at the forthcoming glass-based machine
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Skills: OO Development, Scripting, Functional My client...
Agile Java Developer - Media - London Key Words: Agile...
Technical support Specialist (2/3 rd Line) CCNA...
Functional Test Engineers needed, Berkshire, up to £30k...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?