Update: WordPress 1.5.2 now available.
Found out last Friday that WordPress had a securtiy update for its 1.5.1.3 version that involved the register_globals settings.
They posted an updated information in the WordPress forums:
WordPress version 1.5.1.3 is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to (try to) execute code on the victim’s account.
Here are some recommended steps that should be taken to secure your WP account:
To use the revised wp-settings.php file, please first make a backup copy of your existing /wp-includes/wp-settings.php file, then simply transfer the new version to the /wp-includes/ directory on your site.
We strongly encourage security in depth. In addition to the fix above, you are encouraged to disabled register_globals for your site. Most users will be able to edit your .htaccess file, and place this at the very top: php_flag register_globals off
If you control the server, you may edit php.ini and disable register_globals. You will need to restart the webserver after making this change.
Everyone is strongly encouraged to update their WordPress installation as indicated above. I suggest doing the 1st and second option.
Note to plogHost clients: Although we can turn off register_globals on all servers, a whole lot of other applications that require it to be “on” may be affected and may not work.
You mean we have register_globals turned on at ploghost? It’s sad that other developers simply ignore safe programming practices to allow their apps to run with the register_globals directive set to off. It doesn’t really take much to code that way.
Another WP update? It’s nice to see the community responding swiftly. :)