Still on 1.5.2 ?

If you are, you now have 3 choices:
1 – Leave your blog wide open to vulnerabilities which Matt knew about but kept quiet about.
2 – Upgrade to the bloat that is version 2.x (2.0.2 is imminent)
3 – Emigrate to another blog format.

I specifically asked on more than one occasion about point 1, and I was told all was good.

Forum post

Edit: Don’t upgrade! 2.01 has a hole too. Wait til … drumroll …….2.0.2!

Edit again: Hold on …. ;)

13 thoughts on “Still on 1.5.2 ?

  1. Mark, wholeheartedly agree with the issues raised here… Though there is option 4):
    Fix the install yourself…

    I suppose the issue that Matt knew about but kept quiet about (bears repeating) is the one involving SQL injection through the UA string in a comment post. This can be easily fixed, as a direct patch or a plugin. I strongly suspect this hasn’t been done yet in order to encourage option 2) above.

    I was already considering incorporating the fix within SK2, although there are no direct relations between the two. I suppose I should rather make it a standalone plugin. As soon as I’ve verified this is the only exploit out there, I will do so and let you know (it’s a 3 line plugin).

  2. I’m sympathetic to the keeping quiet point – because the last thing you want to do is spread how to break ppls blogs.

    However it should have been fixed the moment it was found if they were going to do that. They didn’t.

    I don’t mind v2 because it’s slightly faster peforming on my site, and has a better plugin API, but I agree that the admin is bloated. It’s also a lot, lot harder to change the UI of the v2 admin because of the copious ammounts of JS.

    I happen to think WP is the best thing out there atm for roll-your-own blogging, but it’s starting to get really, really, crufty.. which is wierd concidering Matt’s usual stance of cruft..

  3. Pingback: If..Else Log
  4. uuuh – due to the comments here and due to the information, that the wordpress 2.0 theme competition site by KCYap that running wp 2.0 has been hacked just two days ago, I sniffed a little in the WP sources, and even in the 2.1alpha nightly from the last weekend is the same loophole still contained that allows SQL injection under certain circumstances. it is TOO easy to hack a blog this way…. scary….

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.