Posts Tagged ‘WordPress Security’

WP-Forum Plugin Security Bulletin

148
responses
by
on
January 21st, 2008
in
WordPress Plugins, WordPress Security

If you are currently using the latest release of the WP-Forum plugin, listen up. The websec security team has discovered a vulnerability within this plugin that can be exploited by malicious users to conduct SQL injection attacks. According to Secunia: Input passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “<!–WPFORUM–>” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This vulnerability when exploited successfully allows the individual to retrieve usernames, password hashes, and email addresses for all users, including administrators. However, the user has to have knowledge of the proper database table prefix. This vulnerability has been confirmed in version 1.7.4 which is currently the most recent version available for download. Description: WP-Forum is a WordPress plugin that enables […]

[Continue Reading...]

ModSecurity and WordPress

6
responses
by
on
November 1st, 2007
in
Blogging News, WordPress Security

Daniel Cuthbert has written a paper on ModSecurity and WordPress. While I praise the work and the effort, I am not sure why they did not find it in themselves to protect the PDF document that they are distributing using some sort of an SHA1 checksum or the like to ensure the integrity of the download. Now I know that these guys know what they are doing but I have a problem with security related papers, help documents, scripts and other items when they cannot be verified with the source and the source itself cannot be verified with the original author of the product. I have always been a big proponent of mod_security and I think it provides a comprehensive layer of web security without as much overhead. Although I have never thought of WordPress’ security to be as weak as the BlogSecurity folks have claimed it to be. mod_security […]

[Continue Reading...]



Obviously Powered by WordPress. © 2003-2013

page counter
css.php