The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

The upgrade is as usual available through various means with the two most popular ones being through an automatic update in the Wordpress admin interface and the second trough a download from the official Wordpress website. The first is faster and more comfortable while the second offers more control to the user especially if something goes wrong.

This Wordpress update does not require an update of the Wordpress database. It is however recommended to perform a backup of both the Wordpress files on the web server and the MySQL database to be prepared if the update should fail for any reason.

Related posts

• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)
• Wordpress 2.8.3 (1)

The most important changes in Wordpress 2.8.5 are therefor:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

Wordpress blogs are currently not announcing the new release. It is expected that this will change in the next hours so that the automatic update option becomes available for Wordpress webmasters who use it to update their website. Webmasters who manually update their blog can visit the Wordpress page to download the latest version of Wordpress. Additional information about the security release are available in the blog post that announced the upgrade.

Related posts

• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)
• Don’t upgrade to Wordpress 2.3 yet (3)

The XSS vulnerability could be used to create comment author urls that would redirect the system administrator away from the blog’s website to another site to exploit the situation. Wordpress webmasters are encouraged to update their blogs as soon as possible to patch the security vulnerability.

Updates are available directly from within the Wordpress interface if the correct server login information are supplied or by updating the traditional way which would mean to download the Wordpress release from the Wordpress website, upload it to the web server and run the upgrade command manually. The release information should also be displayed prominently in the Wordpress admin interface with a link to the automatic update script of Wordpress.

Related posts

• Wordpress 2.8 (5)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)
• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)

Alternatively only the files wp-includes/feed.php and wp-includes/version.php can be copied from the new release over the old files to update the blog. The security vulnerability is unlikely to affect a large number of Wordpress blogs though as it only only affects IP-based virtual servers running on Apache 2.x.

There might also be some confusion about the versioning of Wordpress. The last official Wordpress version was Wordpress 2.6.3. Wordpress 2.6.4 was skipped because of a fake malicious release that made its round. The official new release is therefor Wordpress 2.6.5.

Related posts

• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.7.1 Update (3)
• Wordpress 2.6.1 released (1)
• Wordpress 2.5.1 released (1)
• Wordpress: Your attempt to edit this post has failed (8)

Over 60 fixes have been introduced in the new Wordpress version, several of them critical and some security related. You can check out the complete list of fixes in Wordpress 2.6.1 by following the link to Wordpress Trac.

I’m usually not that interested in what has been fixed than to apply the updates to all of my blogs immediately. It does not look like as if new features have been introduced in Wordpress 2.6.1, more of a bug fix release it seems.

The next big release will be Wordpress 2.7 which will introduce several new features and options to Wordpress. Looking forward to that. It is however recommended to update the blog as soon as possible.

Related posts

• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Zoundry Raven portable Blog Editor (6)
• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)

The online security script Wordpress Scanner is a great tool which can be used to scan your Wordpress blog for several vulnerabilities such as outdated versions of Wordpress or single files and XSS vulnerabilities in themes. All you need to do is add the line in the header of your blog so that the Wordpress Scanner cgi script can access the information and knows that you are indeed the owner of the blog.

This tool is not perfect but it analyzes the versions of your Wordpress files which is probably the dominant attack vector when it comes to Wordpress hacking and basic XSS vulnerabilities in the themes. The tool gives advice if vulnerabilities have been found on how to fix them.

Just make sure you run the script, follow the guidelines and remove the wpscanner entry from your header again. You would not want someone else to be able to check your blog for vulnerabilities, would not you ? This is a great little script which should become even better when the author adds checks for plugins.

Related posts

• Wordpress 2.8.6 Security Update (5)
• Wordpress 2.8.5 Security Update (4)
• Wordpress 2.8.2 Security Patch (1)
• Wordpress 2.6.5 Security Update (0)
• Wordpress 2.6.1 released (1)