WordPress 2.8.6 Security Release – Considerations! | Wordpress Blog Installation Service!

Site Update: I have decided to change the look and feel of the site and hope you like it! I have also been working in the background on setting up the membership areas as previously announced | The free membership section will be launching soon, hopefully by mid March. With the VIP Premium section going live in April 2010 - Watch this space for further announcements!

13th
NOV

WordPress 2.8.6 Security Release – Considerations!

Posted by Zulfikar under Troubleshooting Wordpress, Upgrading Wordpress

Update: Upgrade your wordpress blog NOW!

The vulnerability is far serious than first mentioned from the extract from Wordpress.org bellow and an immediate upgrade is now advised. The security breach hole can allow for a script to add files to the site’s root directory which can lead to major disruption of your blog. Files such as index.html can be added to your site root via this security hole, this can include warez, viruses and porn type files. Thanks to the prompt action of those who spotted the breach and to wordpress for prompt release of the latest secure version we can now eliminate the problem by upgrading immediately.

Many of you will have realised that a new version of Wordpress is now available and as with all interim releases, this is a security patch release.

But before you upgrade here are a few things to consider – take into account! (I know its a change of tone on my part, as I always advise on immediate upgrade).

This is why Wordpress V2.8.6 has been released:

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

That snippet is from Wordpress.org and outlines the reason behind the security release – so if the above apply to you then by all means go ahed and upgrade asap.

Here are a few factors to consider before upgrading.

A number of plugins have returned errors after I upgraded to the latest version – this is by no means suggest a problem with Wordpress itself.

This in turn caused a few problems for me.

a) I could not log out in the admin dashboard; error returned was “You are attempting to log out of ‘SiteName’ Please try again!” (My understanding is that this is an issue with the log out hook in the current theme I’m using – under investigation at the moment).

Workaround – Should you find yourself in this predicament: Place the cursor in your address bar and hit enter, on refresh you will get a message asking if you are sure you want to log out with a log out link – click on the link and you should be able to log out. Seems to work fine after that!

b) On visiting the main site the sidebar login widget showed that I was not logged in even though I could still access the admin dashboard with limitations on certain elements. I narrowed this down to the sidebar login plugin – now deactivated until the issue is resolved hopefully by a new plugin update.

c) While writing post I was getting a MySQl database error – again this was narrowed down to a plugin, this time it was the “Thank you counter button” – deactivating the plugin resolved the problem and so awaiting an updated version.

There may be more issues cropping up as time goes by, I will keep this post updated should I come across any more issues and remedies if available. If you are having problems after upgrading to the latest version of Wordpress please leave a comment and I’ll investigate it further.

If you like this article please share it on stumbleUpon - thanks!

Reader's Comments

Julenissen from forbrukslån | November 14th, 2009 at 7:17 pm
“logged in users who have posting privileges”
What if the user dont have posting privileges? Cause I dont even have comments activated on my site, and I`m the only one with posting privileges.
Reply – Quote
Bilal Ahmad
Twitter: peshawer
| November 15th, 2009 at 1:32 pm
Thank you for sharing such a useful information with us. It is also good to immediately upgrade wordpress.
.-= Read Bilal Ahmad´s last blog post>> ..How to Add StatCounter in blogger and wordpress =-.
Reply – Read Bilal AhmadÂ´s last blog post>> ..<a href=\"http:\/\/feedproxy.google.com\/~r\/techmaish\/~3\/RQ56a-ce1ok\/\">How to Add StatCounter in blogger and wordpress<\/a> '); return false;">Quote
Zulfikar
Twitter: zulfnore
| November 15th, 2009 at 2:02 pm
@Julenissen@forbrukslÃ¥n – The initial advice was that the security hole could be exploited by registered and logged in users with posting privileges.

But now the concesus amongs experts is that this can also be exploited by scripts which can impersonate a registered user and inject itself into the root of your hosting. It is therefore highly recommended to upgrade to the latest version asap.

You may have some issues with some of the plugins (very few if I may add) and some themes may be – even then that would be way less hustle compare to what would be if somehow your blog is exploited.
Reply – Quote
Zulfikar
Twitter: zulfnore
| November 15th, 2009 at 2:03 pm
@Julenissen@forbrukslÃ¥n – The initial advice was that the security hole could be exploited by registered and logged in users with posting privileges.

But now the concesus amongs experts is that this can also be exploited by scripts which can impersonate a registered user and inject itself into the root of your hosting. It is therefore highly recommended to upgrade to the latest version asap.

You may have some issues with some of the plugins (very few if I may add) and some themes may be – even then that would be way less hustle compare to what would be if somehow your blog is exploited.
.-= Read Zulfikar´s last blog post>> ..WordPress 2.8.6 Security Release – Considerations! =-.
Reply – Read ZulfikarÂ´s last blog post>> ..<a href=\"http:\/\/bloginstallationservice.com\/wordpress-2-8-6-security-release-considerations\/\">WordPress 2.8.6 Security Release â�� Considerations!<\/a> '); return false;">Quote
Zulfikar
Twitter: zulfnore
| November 15th, 2009 at 2:25 pm
@Bilal Ahmad – You are welcome Bilal, glad to be of service to the community
Reply – Quote
Jimbo from lift tables skirt | November 16th, 2009 at 2:33 am
I love wordpress and have used it on many blogs, but one thing is for sure. You have to stay on top of these wordpress updates or you can be hacked quickly and badly. It has happened to me twice. Thanks for making us aware of this update..
Reply – Quote
Jack from Free International VOIP Calls Worldwide | November 16th, 2009 at 5:32 am
Great post. Appreciate this great service.
.-= Read Jack@Free International VOIP Calls Worldwide´s last blog post>> ..How to Receive Free Calls From Pakistan with TPad VOIP =-.
Reply – Read Jack@Free International VOIP Calls WorldwideÂ´s last blog post>> ..<a href=\"http:\/\/voipcallsforfreeworldwide.blogspot.com\/2009\/11\/receive-free-calls-from-pakistan-tpad.html\">How to Receive Free Calls From Pakistan with TPad VOIP<\/a> '); return false;">Quote

Comment Tags: free phone aclls, voip
Zulfikar
Twitter: zulfnore
| November 16th, 2009 at 9:43 am
@Jimbo @ lift tables skirt – No problem – Agreed on keeping on top and upto date with upgrades. As with any modern technology, there’s always crooks who want to spoil the fun and there’s always those dedicated to combat them, so once again hats off to the guys at http://www.wordpress.org
Reply – http://www.wordpress.org‘); return false;”>Quote
Zulfikar
Twitter: zulfnore
| November 16th, 2009 at 9:45 am
@Jack@Free International VOIP Calls Worldwide – You are welcome Jack, glad to be of some service
Reply – Quote
saurabh from uk seo expert
Twitter: saurabhsnv
| November 16th, 2009 at 7:46 pm
i just love my wordpress blog and i have upgraded it already and i think 2.9 going to appear in future.
Reply – Quote

Comment Tags: uk seo expert
Zulfikar
Twitter: zulfnore
| November 16th, 2009 at 10:30 pm
@saurabh@uk seo expert – Good going Saurab Always keep up to date and out of trouble.

2.9 is under beta testing for bug hunting at the moment and is due for release early December I hear – look forward to that.
Reply – Quote
dissertation writing
Twitter: ukwriters
| November 17th, 2009 at 6:50 am
Thanks a lot for sharing first of all, i am UK stuff member i recently come to your blog its excellent keep it up.

Best regards!
Reply – Quote

Comment Tags: dissertation help, dissertation writing, dissertation writing help
makyaj yapma | November 21st, 2009 at 8:58 am
Thanks for this important informations. I already knew that
Reply – Quote
Tim from Naperville Pest Control | November 23rd, 2009 at 9:20 pm
To be honest, I find all of these patches and updates to be a bit too much. I wish that WordPress would figure out a way to automatically update without me having to manually install the software on my server constantly.
Reply – Quote
Zulfikar
Twitter: zulfnore
| November 24th, 2009 at 10:04 am
@Tim@Naperville Pest Control – Now that would be neat. But the thing is that not all blogs, themes, settings are the same so if there was an automatic upgrade and site breaks, wordpress would have to take the responsibility of fixing it.

An auto upgrade where we do nothing would mean rewriting the code to facilitate such automation. I don’t think the guys at wordpress have the capacity to go that rout yet. They are already doing an awesome job with the platform and that too for free, it wouldn’t be fare to upload all work onto them.

Just like a car, maintenance and upkeep is upto the owner, as bloggers we should take the responsibility of our sites and the software we use.

Maybe a third party development team could be the answer – what do you think?
Reply – Quote
THE ROCK from Ip video conferencing | November 26th, 2009 at 9:17 am
This is really a great thing to know about the WordPress 2.8.6 Security Release. Word press is used by most of the people so that it was very necessary thing. I hope it will get its desired success anyways keep it up and keep continue.
Reply – Quote

Comment Tags: Ip video conferencing
monikaSNV from Tipster | November 26th, 2009 at 12:40 pm
REALLY WORDPRESS GREAT IT IS AN OPEN SOURCE FOR BLOG PUBLICATION AND CONTENT MANAGEMENT I GOT GOOD INFORMATION ABOUT ITS REALIZES THANKS FOR SHARING.I WILL USE IT AND TELL YOU THE RESULTS.THANKS.
Reply – Quote
blog-admin
Twitter: zulfnore
| December 5th, 2009 at 3:56 pm
@The Rock, no problem dude. Wordpress is forever evolving and shall continue to grow to great heights am sure
Reply – Quote
Zulfikar Nore | November 13th, 2009 at 11:01 am
RT @BlogInstaller WordPress 2.8.6 Security Release – Considerations! | Wordpress Blog Installation Service! http://bit.ly/1QkY1O
Reply – Quote
dostanamehfil | November 14th, 2009 at 12:26 am
RT @tweetmeme WordPress 2.8.6 Security Release – Considerations! | Wordpress Blog Installation Service! http://bit.ly/1QkY1O
Reply – Quote
Tweets that mention WordPress 2.8.6 Security Release – Considerations! | Wordpress Blog Installation Service! -- Topsy.com | November 14th, 2009 at 12:26 am
[...] This post was mentioned on Twitter by dostanamehfil, Zulfikar Nore. Zulfikar Nore said: RT @BlogInstaller WordPress 2.8.6 Security Release – Considerations! | Wordpress Blog Installation Service! http://bit.ly/1QkY1O [...]
Reply – Quote
Zulfikar Nore | December 5th, 2009 at 4:33 pm
RT @BlogInstaller WordPress 2.8.6 Security Release – Considerations! | Wordpress Blog Installation Service! http://retwt.me/1Kxhm
Reply – Quote