New SQL Injection vulnerability?

Well, I guess that solves a problem for me….

A shame really.

-tg

Crap.
Please can this be patched against ?

Edit:
If you are using 1.5.2, backup your database.
Frequently.

Comment #10 on the bug page: https://bugs.gentoo.org/show_bug.cgi?id=121661
reads as follows:

ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through [email protected] and discussed the bug with him. His comments were:

“1.5.2 has several security bugs that are fixed by 2.0.x, including this one. 1.5.2 is pretty much unmaintained now. We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1.
We hadn’t planned on backporting anything to 1.5.2.”

So it’s OK to release with me.

So that sounds like a “uh, no.” to me…..

Like I said, it just made a decision easier for me.

-tg

And wasn’t it of course only a matter of time anyway….

Poop. Good thing I’ve been getting familiar with 2.0.1 – *sigh*

Even though I’m the queen of redundant backups, I’m not gonna mess with trying to stay with 1.5.2 I guess.

the fix for that.. rather “how” to fix is on trac. Podz, I think youre the one that linked to the changed files in another thread..

compare the comment-functions.php’s:

2.0.* :

function wp_filter_comment($commentdata) {….

$commentdata[‘comment_agent’] = apply_filters(‘pre_comment_user_agent’, $commentdata[‘comment_agent’]);

.. and so on..

kses.php was the other file that changed as well if I remem. correctly.

(nice that I moderate everything)

vkaryl – “And wasn’t it of course only a matter of time anyway…”

so 2.0.2 will be insecure by definition ?

I think everything is “insecure by definition” simply because there’s a whole world of idiots out there who spend their lives digging to find exploitable areas.

Be nice to be wrong.

this is actually old …see #5

oops, I guess a link is needed.

https://www.frsirt.com/english/advisories/2005/0925

Hi,

do I understand correctly that moderated comments are not touched by that problem?

LHK

thats what I read. shall we try it? I have a ua switcher extension installed ?? fwiw, I cant even view my site WITH a ` in my u-a (go figure, cookies)

whooami, am I to understand from what you said above that 1.5.x can be patched at least temporarily? I have not the time nor the patience right now to do a complete upgrade on my own blog and deal with the resulting fallout from the buggy 2.0.1. Bad enough I have to CLEAR EVERY DAMN THING in my client layouts right now just to get that bad b&tch to render them right (whereas 1.5.x doesn’t need any of it.) *grumbles about hackers, bugs, and life in general*

LOL whooami,

you’re way above my head ??

I’m just wondering whether I still have some time before I need to update other blogs I also maintain which still are on 1.5.2. Comments usually are – as per definition – set to moderated for blgsites I set up for people, because it’s not really spam they need to guard against, rather competitor nastiness.

After seeing quite a few problems people have here with updating, I want to sandbox all the updates first and had hoped to be able to do that at leisure.

LHK

Do NOT upgrade to 2.0.1 !!
You’ll have to then upgrade to 2.0.2

Wait. Hopefully the dev blog will have something. Soon.

Hey, that’s nice (sarcasm should be assumed there)…. what’s happened to my tester’s list emails that should have info about this? I only got one digest yesterday, nothing so far today….

Last thing I read, 2.0.2 was still on hold. Sheesh.

Hi Podz,

and why is it such a horror to upgrade to 2.0.2 from 2.0.1? *scratching my head*

LHK