WP-DBManager 2.61 has been released and it fixes a security vulnerability which will allow user to download your wp-config.php. If you do not use the default backup folder path, you are not affected by this.
However, most users are affected and it is recommended that you upgrade WP-DBManager to 2.61.
WP-DBManager 2.62 will be out on Tuesday with added nonce security and auto-repair functionality.
Sorry for any inconvenience caused.
Download: WP-DBManager 2.61
I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.
The malicious code is as follows:
if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))
The code itself does nothing, but hackers are spoofing the
$_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.
I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.
- Personally, I have no idea what
links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
- I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
- The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
- If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
- For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
- For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it
I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.
I have released WP-PostRatings 1.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-PostRatings 1.50 only. This is the same code injection fixed for WP-Polls few days back.
I have checked the rest of my plugins to ensure that the code is not in anymore of my plugins. Sorry for any inconvenienced cased.
Similar to WP-Polls, I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-PostRatings right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.
All users should upgrade now
Props to Dion Hulse aka dd32 for the report!
Download: WP-PostRatings 1.61
I have released WP-Polls 2.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-Polls 2.60 only.
I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-Polls right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.
All users should upgrade now
Vulnerability discovered by + Props to:
Dweeks, Leon Juranic and Chad Lavoie of the Swiftwill Security Team (www.swiftwill.com)
Download: WP-Polls 2.61