Stefan Esser over at the PHP Security Blog is not happy. He’s just written a blog posted titled WordPress – developers totally nuts claiming that only hours after releasing version 1.5.2, the developers patched some additional security flaws and re-uploaded the download file without labelling it any differently. Stefan had previously contacted WordPress about security flaws in their product and had contributed some patches. The end result, according to Stefan’s claims, is that many WordPress users who downloaded the pre-updated version 1.5.2 will still be vulnerable to known and published security exploits.
Amusingly, it appears that hours after the blog post went live, Stefan renamed the post’s title to ‘WordPress – irresponsible silent tarball update‘ without notice.
Dougall Campbell, a developer for WordPress, responds to what he sees as a campaign of fear, uncertainty and doubt against the 1.5.2 release. Dougall admits that the first downloadable archive to be posted on wordpress.org didn’t contain all the security fixes they intended to include, but that the situation was rectified before the initial announcement of the release was posted, and therefore anybody who downloaded the archive after the posting of the official announcement is safe from the problem.
According to Stefan’s post the exploit in question involves a function in WordPress’s code intended to work around servers which have register_globals enabled. The function checks to see if register_globals is enabled in the PHP configuration, and if so it tries to unset each global variable that was created. The function inadvertently introduced an additional flaw – allowing remote users to bypass the protection that the function offered.