WordPress 可能的重大安全性漏洞

Spam Karma 2 的作者發了一篇聽起來很嚴重的文章:

MAJOR SECURITY ANNOUNCEMENT
Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable WordPress users, but trust me this is not a joke.

大意是說 WordPress 如果把 guest user registration 或是 guest user account 打開的話,會有重大的安全性漏洞出現,關於詳情,他不能透露太多。他已經通知 WordPress 的 dev team,希望很快會有 patch 釋出。

目前已知這個安全性漏洞會影響 2.x 和 1.5.x 的版本。

雖然一般來說,很少有人會開 guest account registration的… 🙂

好玩的是,Matt(WordPress開發群之一)寫了篇迴響

drDave, if you think you have found a vulnerability the best thing to do is email security@wordpress.org, not cause a panic with a cryptic blog post. We’re about to put out a release and I haven’t received anything from you so I need to know if this is already fixed in 2.0.4 or not.

看來 2.0.4 要delay 一下下了 :p

至於詳情如何? 等待事情進一步地發展吧。

發佈留言