Skip to content

Important WordPress security update 3.0.4

Looks like the Christmas spirit of goodwill to all men lasted a couple of days before the nasty hackers got back to work.

There’s an important security update to WordPress just been released, v3.0.4. Anyone running a WordPress 3 blog should immediately update. Anyone who has comments enabled on their WordPress site should be particularly concerned. Why? Because it concerns a flaw in WordPress’ sanitation filter

One of the biggest problems with websites that accept user generated content from untrusted users (for example people leaving comment on a blog, making an update in Twitter or Facebook) is the possibility that they are able to insert code into their content that inserts JavaScript (or other executable code such as php) that is them displayed “raw” on the site. Typically they will insert JavaScript code that steals cookies, redirects users to other sites and a whole myriad of other exploits.

Sanitization filters parse the content they are fed and attempt to strip out any code that looks suspicious. This update specifically patches the WordPress KSES Sanitization filter, so I expect that someone’s found a way of getting round the filtering and is inserting malicious code into comments.

Of all the filters I’ve used, HTML Purifier seems to be the most comprehensive – so if you’re developing your own bespoke web application that will accept user generated content, I’d recommend you give it a once over…

This entry was posted in Wordpress and tagged , . Bookmark the permalink.

Comments

Sorry, comments are closed on this page.