Changes in Wordpress 1.5.2

A few vulnerabilities found in recent weeks have been addressed by the Wordpress team with release 1.5.2 available now from wordpress.org.

The most recent vulnerability I’ve noticed was cross posted on the Full-Disclosure & Bugtraq mailing lists on the 9th August. The exploit made use of an old security issue in the PHP engine itself; a compile-time & run-time setting ‘register_globals’.

Thankfully the impact ought to be low, the PHP team have long been trying to stop the use of ‘register_globals’; it’s not enabled by default (you explicitly have to switch it on) and there are warnings all over its usage.

The most significant change I found in this release of Wordpress is in the file wp-settings.php

PHP:
  1. // Turn register globals off
  2. function unregister_GLOBALS() {
  3.     if ( !ini_get('register_globals') )
  4.         return;
  5.  
  6.     if ( isset($_REQUEST['GLOBALS']) )
  7.         die('GLOBALS overwrite attempt detected');
  8.  
  9.     // Variables that shouldn't be unset
  10.     $noUnset = array('GLOBALS', '_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_ENV', '_FILES', 'table_prefix');
  11.    
  12.     $input = array_merge($_GET, $_POST, $_COOKIE, $_SERVER, $_ENV, $_FILES, isset($_SESSION) && is_array($_SESSION) ? $_SESSION : array());
  13.     foreach ( $input as $k => $v )
  14.         if ( !in_array($k, $noUnset) && isset($GLOBALS[$k]) )
  15.             unset($GLOBALS[$k]);
  16. }
  17.  
  18. unregister_GLOBALS();

The addition of the above function is sanitising the globals before proceeding with the request and should greatly reduce the vulnerability of Wordpress on servers with ‘register_globals’ enabled in the future.

Related Links:
http://wordpress.org/development/2005/08/one-five-two/
http://blog.blackdown.de/2005/08/14/another-wordpress-security-update/

1 Comment so far
Leave a comment

changing wordpress, 1.5.2 ;-)



Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

(required)

(required, but not displayed publically)