A hacker managed to sneak into the WordPress server and modify the code in the 2.1.1 release, introducing an exploit that would allow for remote PHP execution. Although the 2.1.1 package does not seem to have been compromised when it was initially released, WP encourages all users to upgrade to 2.1.2 to patch the security hole.
I had patched within the first hours so my site is secure, but I’m still patching. And this is more a heads up for those that read my blog and also run WordPress. For a analysis on what it was:
[...]diffed the contents against 2.1.2, and determined two things:
1. The initial release was, indeed, clean. The two files mentioned in the advisory were not modified between the two tarballs.
2. The new release also includes a patch for a cross-site scripting vulnerability discovered earlier this week: http://trac.wordpress.org/ticket/3879So even if you’re certain you got the early, unmodified download, you should upgrade anyway.
According to the comments it looks like it was two files that need access blocked “theme.php” and “feed.php”, and any query string with “ix=” or “iz=” in it.
And Download WordPress 2.1.2 Here
Tags: Interesting, Programming, Security, Wordpress
