Romantic Robot Working on it.

16:10 Mon 6 Mar 2006

Still on 1.5.2 ?

Filed under: WordPress — 16:10 Mon 6 Mar 06

If you are, you now have 3 choices:
1 – Leave your blog wide open to vulnerabilities which Matt knew about but kept quiet about.
2 – Upgrade to the bloat that is version 2.x (2.0.2 is imminent)
3 – Emigrate to another blog format.

I specifically asked on more than one occasion about point 1, and I was told all was good.

Forum post

Edit: Don’t upgrade! 2.01 has a hole too. Wait til … drumroll …….2.0.2!

Edit again: Hold on …. ;)

13 Comments »

  1. I took option 3 because I was tired of having to upgrade to fix vulnerabilities … and yet the upgrade was breaking existing functionality (smlrpc in my case).

    That was June/July last year.

    Comment by gpshewan — 16:29 Mon 6 Mar 2006 @ 16:29 Mon 6 Mar 06

  2. I am livid about this garbage now.

    WordPress on USB ? At least it’s safe there, cos it isn’t anywhere else.

    Comment by Mark — 16:47 Mon 6 Mar 2006 @ 16:47 Mon 6 Mar 06

  3. Mark, wholeheartedly agree with the issues raised here… Though there is option 4):
    Fix the install yourself…

    I suppose the issue that Matt knew about but kept quiet about (bears repeating) is the one involving SQL injection through the UA string in a comment post. This can be easily fixed, as a direct patch or a plugin. I strongly suspect this hasn’t been done yet in order to encourage option 2) above.

    I was already considering incorporating the fix within SK2, although there are no direct relations between the two. I suppose I should rather make it a standalone plugin. As soon as I’ve verified this is the only exploit out there, I will do so and let you know (it’s a 3 line plugin).

    Comment by dr Dave — 17:00 Mon 6 Mar 2006 @ 17:00 Mon 6 Mar 06

  4. I’m sympathetic to the keeping quiet point – because the last thing you want to do is spread how to break ppls blogs.

    However it should have been fixed the moment it was found if they were going to do that. They didn’t.

    I don’t mind v2 because it’s slightly faster peforming on my site, and has a better plugin API, but I agree that the admin is bloated. It’s also a lot, lot harder to change the UI of the v2 admin because of the copious ammounts of JS.

    I happen to think WP is the best thing out there atm for roll-your-own blogging, but it’s starting to get really, really, crufty.. which is wierd concidering Matt’s usual stance of cruft..

    Comment by Gregory — 17:56 Mon 6 Mar 2006 @ 17:56 Mon 6 Mar 06

  5. zomg take 2!

    Comment by Vidar — 18:38 Mon 6 Mar 2006 @ 18:38 Mon 6 Mar 06

  6. There is a fix from drdave being tested now.

    It’s the fact that at least ONE exploit was known when I asked very specifically if 1.5.2 was secure. I was told it was.

    Comment by Mark — 18:40 Mon 6 Mar 2006 @ 18:40 Mon 6 Mar 06

  7. WP 1.52 vulnerability

    The news I was eluding to earlier today was that a new vulnerability to WP1.52 has been disclosed.The issue affects WP versions 2.0x and below

    Trackback by If..Else Log — 19:55 Mon 6 Mar 2006 @ 19:55 Mon 6 Mar 06

  8. uuuh – due to the comments here and due to the information, that the wordpress 2.0 theme competition site by KCYap that running wp 2.0 has been hacked just two days ago, I sniffed a little in the WP sources, and even in the 2.1alpha nightly from the last weekend is the same loophole still contained that allows SQL injection under certain circumstances. it is TOO easy to hack a blog this way…. scary….

    Comment by CountZero — 20:47 Mon 6 Mar 2006 @ 20:47 Mon 6 Mar 06

  9. awww feck, went up to 2.0.1 two weeks ago… arse!!!

    Comment by Terry — 21:03 Mon 6 Mar 2006 @ 21:03 Mon 6 Mar 06

  10. Terry – you have an important blog though, You need to stay on top of this stuff !

    Comment by Mark — 21:04 Mon 6 Mar 2006 @ 21:04 Mon 6 Mar 06

  11. Aye, definately will be keeping an eye out for it! Once I’ve plucked up the courage to update it (after backups of course) I’ll get it sorted :-)

    Comment by Terry — 21:13 Mon 6 Mar 2006 @ 21:13 Mon 6 Mar 06

  12. […] Reading these three blogs lead to starting my own blog using WordPress. A big thank you goes to Matt Mullenweg, Ryan Boren and all the developers who created and maintain this excellent, FREE, blog software program. If you’re new to WordPress there is an excellent support system of bloggers who contribute to the extensive Codex and who patiently answer questions on the Support Forum. But when I was first learning I stumbled upon a person that really helped me with the basics of CSS and other WordPress stuff (of which I was clueless); Mark. Here is his WordPress Guide and his blog. One of the invaluable things that Mark taught me was to download the WebDeveloper toolbar in Firefox to directly tinker with and edit the CSS. Thank you Matt, Ryan, all at WordPress and Mark! After a long search I decided to use the great K2 WordPress theme created by Michael Heilemann and Chris J. Davis. It is clean, flexible and easy to use (although if anyone can tell me why my trackback narrative doesn’t show up…). As with WordPress, the K2 theme as a lot of people who support and answer newbie questions at this forum. For me one person who has really helped me with K2 is Paul Stamatiou. A perfect example of his great articles supporting K2 is the first in a series called Customizing K2. Thanks Michael, Chris and Paul and all the K2 community! […]

    Pingback by Thank You Fellow Bloggers Meme! at Brendan McPhillips.com — 04:38 Wed 8 Mar 2006 @ 04:38 Wed 8 Mar 06

  13. […] CSS and other WordPress stuff (of which I was clueless); Podz. Here is his WordPress Guide and his blog. One of the invaluable things that Podz taught me was to download the WebDeveloper toolbar in […]

    Pingback by Thank You Fellow Bloggers Meme — Brendan McPhillips — 00:38 Tue 25 Sep 2007 @ 00:38 Tue 25 Sep 07

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress