Ouch! WordPress Hacked on Their Own Site!
This is one reason it is not smart to do an immediate upgrade as soon as one is released! I like to “hold” back on upgrades to things like my WordPress Blog. It turns out that if we had upgraded to WordPress 2.1.1 as soon as it came out, we would have been in danger of having malicious code in the site! So, hooray for folks tracking these things down!
WordPress Code Subverted on Its Own Server
“Users who have downloaded the 2.1.1 version of the open-source blogging platform WordPress should upgrade all files to 2.1.2 immediately, since they could include a security bug injected by a cracker who gained user-level access to one of the servers that powers wordpress.org, according to a release posted on WordPress’ site on Friday. WordPress received a note on the project’s security mailing address Friday morning regarding ‘highly exploitable code,’ the release said. After investigating the issue, the WordPress developers found that the 2.1.1 download had been modified from its original site. The Web site was taken down immediately for further forensic analysis. ‘It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file,’ the release continued. ‘We have locked down that server for further forensics.'”