WordPress Code Subverted on Its Own Server
Users who have downloaded the 2.1.1 version of the open-source blogging platform WordPress should upgrade all files to 2.1.2 immediately, since they could include a security bug injected by a cracker who gained user-level access to one of the servers that powers wordpress.org, according to a release posted on WordPress' site on Friday.
WordPress received a note on the project's security mailing address Friday morning regarding "highly exploitable code," the release said. After investigating the issue, the WordPress developers found that the 2.1.1 download had been modified from its original site. The Web site was taken down immediately for further forensic analysis.
"It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file," the release continued. "We have locked down that server for further forensics."
At this point it looks like the 2.1.1 download was the only thing affected by the attack. The attacker(s) modified two files to include code that would allow for the remote PHP execution.
"This is the kind of thing you pray never happens, but it did and now we're dealing with it as best we can," the release continues. Not all downloads of 2.1.1 were affected, but WordPress declared the entire version dangerous. Several WordPress developers worked through the night to release a new version, 2.1.2, that includes minor updates and entirely verified files.
"We are also taking lots of measures to ensure something like this can't happen again, not the least of which is minutely external verification of the download package so we'll know immediately if something goes wrong for any reason," according to the WordPress release.
WordPress also reset passwords for a number of users with SVN and other access, so users may need to reset their password on the forums before they can log in.
WordPress is asking that all users of 2.1.1 upgrade immediately and conduct a full overwrite of old files, especially those in wp-includes. The project leaders are also asking that users check out their friends' blogs to see if they're running the infected version and to contact them about the situation if they are, and to help friends with the upgrade if possible.
WordPress is also asking Web hosts or network administrators to block access to "theme.php" and "feed.php", and any query string with "ix=" or "iz=" in it. Customers at Web hosts are being asked to send a note to let them know about the attack and the need to upgrade immediately.
WordPress has set up an e-mail address to answer user questions, at firstname.lastname@example.org.
WordPress will be updating its site with more information as they get it.