WordPress Bug: I Read Your Future Drafts!

By Posted 2007 Updated   BloggingSecurityWordPress

A wordpress bug lets people read your draft posts with future timestamps, as well as get hidden information about your database table structure and limits! WordPress version 2.3.2 is now released and fixes these important security issues.

The WordPress 2.3.2 security release will fix bugs that expose your draft posts, fixes error messages that can give away information about your database table structure and limits and stops some information leaks in the XML-RPC and APP implementations.

Michael Brooks reported it at Bugtraq

The impact of the flaw is that an attacker can read posts while they are still drafts. This is an ability that only the administrator should have. Imagine a stranger being able to read the news before it is published. Or perhaps a spam-blog harvesting posts before they are published.
….
The attack fails when search engine friendly urls are turned on in wordpress, however this option is turned off by default. Turning search engine friendly urls on is a workaround until a patch is created.

The bug has highlighted how easily you could read what ShoeMoney or Problogger is going to post tomorrow! Simply modify the url below and behold the bug for any blog …
http://www.yourblogname.com/?x=wp-admin/&paged=1
I tried it on my blog and was unable to see any future posts because I use search engine friendly permalinks and this bug fails on them.

Download WordPress 2.3.2 now and secure your blog and avoid hackers to see your future posts and database details. See the changes between 2.3.1 and 2.3.2 and you can easily update only those changed files by FTP and secure wordpress in minutes.


4 comments on “WordPress Bug: I Read Your Future Drafts!

  1. Ashish Mohta says:

    Hi PC,

    I am looking for a small info related on this. Will replacing those files will be enough? As far I have seen the code change i don’t find any database upgrade. So replacing the file should be enough. I have done with one previous upgrade which was similar to this i.e Security upgrade.

    It would be great if somebody can share their own experience on this.

    Thanks!

  2. QuickOnlineTips says:

    I simply replaced those few files. No database upgrade was required.

  3. Salman says:

    I am still hung with wordpress 2.2.3

    could you PLEASE help tell me about some plugin so that I can easily upgrade to the latest version. Please?

  4. Salman says:

    and how do we turn on the search engine friendly permalink option in wordpress??

    where is it?

Leave a Reply

Your email address will not be published. Required fields are marked *




css.php