WordPress 2.1.3 Akismet Vulnerability
Updates:
14/05/07 Added link to new version
David Kierznowski of Operation n has discovered a serious flaw in the Akismet anti-spam plugin that comes by default with the latest version of WordPress (2.1.3).
It has not been confirmed as yet, but I believe this will affect all versions of the plugin. The vendor has been notified, and more information regarding the vulnerability will be released when a suitable fix has been released.
I know its painful, but its recommended that you disable the Akismet plugin immediately.
The vendor was notified: 14/05/07
Response received: 14/05/07
Fix received: 14/05/07
The Akismet v2.0.2 Download upgrade has been made to address these issues and may be downloaded here.
[…] Operation N Blog, gibt es eine Sicherheitslücke im Akismet Plugin von Wordpress. Leider sind keine weiteren […]
great job..!!
does wp subversion’s akismet affected, too?
tenQ
[…] to David Kierznowski, Wordpress’s comment anti-spam tool Akismet is vulnerable to attack. Anyone who’s ever had a Wordpress blog probably knows how effective this wonderful little […]
[…] ha encontrado un “fallo “en el ultimo antispan plugin de word press.Lo ha publicado en hackersblog ‘Operation n’. El fallo esta en todos los versiones de este plugin también en la […]
[…] to the Akismet advisory that was released today I disabled it, and installed spamkarma2 for spam-filtering (until akismet […]
[…] Kierznowski meld op zijn website dat er een ernstig lek is in de anti-spam plugin Akismet die standaard wordt meegeleverd met de […]
[…] in de Akismet-plugin voor blogsoftware Wordpress. Kierznowski publiceerde zijn ontdekking op hackersblog 'Operation n'. Volgens de onderzoeker is er sprake van een 'ernstige kwetsbaarheid in […]
[…] David Kierznowski of Operation n has discovered a serious flaw in the Akismet anti-spam plugin that comes by default with the latest version of WordPress (2.1.3). […]
[…] For details on downloading the latest WordPress Akismet Plugin, please see: WordPress 2.1.3 Akismet Vulnerability. […]
[…] publicated here an advisory about an Akismet Security Vulnerability (Wordpress’ popular antispam plugin), the […]
I don’t know if this fix is completely correct. When I want to go to the aksimet-admin page from the dashboard the link is:
http://edit-comments.php/?page=akismet-admin
without the proper URL.
I de-activated the plugin first and then replaced the old akismet.php with the new one. You seem to have contact with the developers, so I thought I should put the remark here. Other than that it is good to see such a fast response.
[…] all’interno del noto plugin Akismet distribuito con la versione 2.1.3 di Wordpress. Operation n consiglia addirittura di disabilitare immediatamente il plugin o aggiornarlo alla versione 2.0.2 […]
Jan, workaround:
Edit your Akismet plugin, search for “$link?page=akismet-admin” and remove the function around it, its is something like clean_link(”$link?page=akismet-admin”) -> “$link?page=akismet-admin” and now it works again.
They should test their Plugins before release imo ;)
cheers beNi
[…] publicado aqui um alerta, divulgado também na lista Full Disclosure sobre uma falha de segurança no Plugin […]
[…] ×§×™×™×¨×–× ×•×‘×¡×§×™ מבלוג ×”×בטחה operation n גילה פרצת ×בטחה ב×קיזמט לוורדפרס (×ž×¦×•×™× ×ª גירסה 2.1.3, ×בל […]
I would like to thank you and the Askimet team for finding this vulnerability and this quick response!
Does this crap Askismet comes enabled by default?
Que droga heim… tem que ficar atualizado o site todo o mes…
[…] http://michaeldaw.org/alerts/alert-140507/ e […]
[…] David Kierznowski of Operation n has discovered a serious flaw in the Akismet anti-spam plugin that comes by default with the latest version of WordPress (2.1.3). […]
[…] accadere anche questo, ed invece che proteggerci il plugin ci può affondare. E questo è successo: David Kierznowski ha infatti scoperto una vulnerabilità in Akismet.php che permetterebbe ad un attakker di rubare le […]
[…] ci aiuta contro lo spam nei commenti ma David Kierznowski ha pubblicato un advisory riguardo la vulnerabilità di sicurezza del popolare plugin […]
[…] inserita di default nella piattaforma Wordpress è buggato. Per maggiori informazioni ecco advisory e proof od concept che trattano questa vulerabilità . Ma non è ancora finita, pare che anche la […]
[…] WordPress 2.1.3 Akismet Vulnerability - Operation n […]
[…] Akismet, il plugin che permette di filtrare una buona parte dei commenti di spam. David Kierznowski ha scoperto una falla nella versione di Akismet che è installata di default nelle ultime versioni di Wordpress (l’ultima […]
[…] Kierznowski ha scoperto una falla nella versione di Akismet che è installata di default nelle ultime versioni di Wordpress […]
[…] waren er problemen gevonden in de Akismet plugin. Er zat een lek in die door hackers gebruikt kon worden om dingen te doen met je bestanden die je […]
[…] 18th, 2007 @ 11:19 by Mike So, the only week away from a PC and has been discovered a vulnerability in the Askimet plugin for Wordpress. The vulnerability has been promptly fixed with the version […]
[…] dovuto aggiornare anche il plugin di Akismet, per essere al riparo dall’ultima falla di sicurezza scoperta, come segnalato da […]
[…] David Kierznowski, beveiligingsonderzoeker, bevat de populaire anti-spam Wordpress plugin een ernstig lek. Aangeraden wordt, zolang er geen update wordt uitgebracht, de plugin direct uit te […]
[…] Akismet XSS (more) […]
[…] permette di filtrare i messaggi di spam e di cui fa uso anche questo sito. Questo bug scoperto da David Kierznowski permette tramite il file akismet.php a un attaker di prendere i cookie di connessione […]
[…] Por ahora dice que solo detecta unos pocos, entre ellos el Akismet, que últimamente tuvo algun fallo y que viene instalado por defecto en todos los wordpress. Si miramos en el código vemos que hace […]
[…] da qui la versione aggiornata del […]
[…] dovuto aggiornare anche il plugin di Akismet, per essere al riparo dall’ultima falla di sicurezza scoperta, come segnalato da […]
[…] read more | digg story […]