Comments on: Oracle attack on Wordpress

By: westi

westi — Fri, 23 Jun 2006 09:15:28 +0000

The caching system at fault was disabled by default in 2.0.2 and 2.0.1 as well it was only enabled by default in the 2.0 release.

The fix in 2.0.3 for the cache removes the ability for any attack on the caching system giving you the ability to put executable code in the cache files and the serialized data is now base64 encoded and placed inside a multi line php comment.

By: Mike Purvis

Mike Purvis — Thu, 22 Jun 2006 19:10:53 +0000

Rather than commenting out the entire file, couldn’t you just put as the first line in each?

By: David Chait

David Chait — Thu, 22 Jun 2006 19:04:57 +0000

Good analysis. Obviously shows that embedding passwords into lesser hashes isn’t always a good idea.

Also, it would have been good to point out that the caching system at fault is disabled in 2.0.4, and should never have been defaulting enabled given it only helps a fraction of a percent of the WP population. Only an expert admin would want/need to activate it. Not only does it open security issues, but it also can be ‘buggy’ and overload certain server configs.