A new version of WordPress has been issued to fix a cross site scripting (XSS) vulnerability in post comments. All users are recommended to upgrade to this version.
This version, 0.7.1.1, is unfortunately not available from the normal locations. You can get it from http://zed1.com/wordpress-0.711/. That page explains several strategies for addressing this vulnerability.
Mike
Thank you for this Mike!
Comment from Southern Gal on June 25, 2003
Good that it was taken care of. Thanks.
Was it warranted to require (on the face of it) most users to upgrade to 0.7.1.1. when only a half dozen lines of code in one file needed replacing? I had to read the instructions (more than once) on your (Mike Little) site to realise that I would have been wasting my time, mods and customizations for the sake of 6 lines of code! Slight overkill IMHO.
I realise that the approach taken was probably with people who are unfamliar with PHP or whatever in mind, so feel free to put me in my place.
Comment from Mike on June 28, 2003
Hi Mike,
I thought I’d given very clear alternatives on the page. With the options to d/load the zip, the individual file, checkout from CVS, disallow html in comments, and lastly displaying exactly the lines changed.
Comment from mike on July 2, 2003
jo jo jo
Comment from name on July 8, 2003
0.7.1.1 does not seem to be safe yet (I don’t actually test it, but from the code), so wordperss users need to disallow HTML in comments, and be careful to invite unknown people as a guest blogger.
I wrote this problem at:
http://tidakada.com/board/viewtopic.php?p=17291#17291
Comment from Nobuo Sakiyama on July 14, 2003
Is WP dead like B2 slowly died? ðŸ™
At least a monthly blog update with what’s going on in the project would be nice… We heard about all these new features, but then no word since.
Comment from batkiwi on July 30, 2003
No WordPress is not dead. Things appear to be going slowly at the moment but the next release is coming together. I was about to post about some work I have just completed.
Comment from mike on July 31, 2003
Sweet!!!!!! I meant #6 as an “i hope it’s not dead, please update!” and not a declaration of death 🙂
Comment from batkiwi on July 31, 2003