Today it came out that there is yet another SQL injection in WordPress Blogs.
This code exploits the Wordpress Plugin Upload File, and allows an attacker to execute an arbitrary command on the hosting machine. If you host your Blog Locally, this is an enormous problem! The exploit (Discovered by a russian hacker http://eserg.ru ) , is one of a myriad of security issues recently exposed by Hackers- leaving bloggers worldwide vulnerable.
What is a Arbitrary Command?
This is when an attacker is able to exploit a security vulnerability in a program, to execute commands on YOUR computer. For example, in this case, By simply executing this SQL query
null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/*
On your server- he is able to add/remove users, Delete Files, and install any number of viruses.
Be on the lookout in the next week for a patch from www.wordpress.com/www.wordpress.org
-
No comments:
Post a Comment