This vulnerability reminds me of the the old Hacker movies, where a worm is released that steals random pennys from unsuspecting victims. This vulnerability is the closest I have seen to this scenario.

The vendor has been notified, and more information regarding the vulnerability will be released after 30 days or until such a time as the author feels that WordPress users have had a chance to upgrade.

Unfortunately, the developer has not gotten back to me, and as many blogs use this plugin as a source of income, I have gone ahead and made the necessary changes myself as a temporary solution. Please note this is an unofficial release. Hopefully the vendor will verify the changes and make an official release shortly.

As with any plugin, please make sure you have made a backup before downloading and installing this.

Download adsense-deluxe.zip.

The vendor was notified: 18/05/07
Response received: None as yet
Fix received: Temporary fix released as part of the WordPress Angel Project.

References:

• Writing Secure WordPress Plugins

This is a quick alert to let everyone know that a new version of Akismet has been released to address the recent security vulnerability. As usual, I was very impressed with the speed and accuracy of WordPress in addressing this issue, in particular Ryan Boren and Matt Mullenweg.

For details on downloading the latest WordPress Akismet Plugin, please see: WordPress 2.1.3 Akismet Vulnerability.

I will wait a period of time to allow everyone to upgrade before releasing the full advisory, so keep an eye out for it.

Updates:
14/05/07 Added link to new version

David Kierznowski of Operation n has discovered a serious flaw in the Akismet anti-spam plugin that comes by default with the latest version of WordPress (2.1.3).

It has not been confirmed as yet, but I believe this will affect all versions of the plugin. The vendor has been notified, and more information regarding the vulnerability will be released when a suitable fix has been released.

I know its painful, but its recommended that you disable the Akismet plugin immediately.

The vendor was notified: 14/05/07
Response received: 14/05/07
Fix received: 14/05/07

The Akismet v2.0.2 Download upgrade has been made to address these issues and may be downloaded here.

When mod_security receives a request it parses it into web application parameters in a way it believes is correct. Because the way it parses the incoming data follows the rules defined in RFCs and not the reality of how the HTTP request parsers are implemented in Perl, Python, Java, PHP there are a number of bypass vulnerabilities when the RFC and reality mismatch.

Alot of legacy web applications are in it now. Thats what Ivan Ristic gets for following the RFCs, I mean who does that? :)

From what I can tell the latest version is affected and I do not know of any fix. In fact, I think it will be quite difficult to patch this as its a human weakness problem rather then a programmatical error.

A serious security vulnerability has been found in WordPress <=2.0.6. This can’t be good for them as they just released 2.0.6 “11 days ago”.

Proof of Concept

http://milw0rm.com/exploits/3109

Solution

Get the latest version here.
The quicker fix here.

xy7 found an information disclosure vulnerability in WordPress <= 2.0.6.

It looks like this vulnerability is limited to information leakage only. If you want to test your WP installation see below.

Test if you are vulnerable (most likely):

http://my_wordpress/index.php?m[]=
OR
http://my_wordpress/?m[]=

Temporary fix:

Note: Always make backups before making any changes.
As a temporary fix we ensure that the input being passed to the rawurlencode function is a string and not an array which is what is causing the problems.

• edit wp-includes/classes.php
• Go to line 1663
• The line should look like this:
  if (isset($this->query_vars[$wpvar]) && ” != $this->query_vars[$wpvar]) {
• Add the following (after the above-mentioned line):
  if(!is_string($this->query_vars[$wpvar])) {
  $this->query_vars[$wpvar] = ‘fixed’;
  }

Summary

If I hear of WordPress releasing an official patch I will update this post.