Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0123 A number of vulnerabilities have been identified in WordPress 7 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WordPress Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Increased Privileges -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Member content until: Sunday, October 7 2012 OVERVIEW A number of vulnerabilities have been identified in WordPress prior to version 3.4.2. [1] IMPACT The vendor has provided the following details regarding these issues: "Version 3.4.2 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential privilege escalation and a bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team." [1] "These issues were discovered and addressed by the WordPress security team: * Fix unfiltered HTML capabilities in multisite. * Fix possible privilege escalation in the Atom Publishing Protocol endpoint. * Allow operations on network plugins only through the network admin. * Hardening: Simplify error messages when uploads fail. * Hardening: Validate a parameter passed to wp_get_object_terms()." [2] MITIGATION The vendor recommends uprgading to the latest version of WordPress to correct these vulnerabilities. [1] REFERENCES [1] WordPress 3.4.2 Maintenance and Security Release http://wordpress.org/news/2012/09/wordpress-3-4-2/ [2] Version 3.4.2 http://codex.wordpress.org/Version_3.4.2 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUEmMle4yVqjM2NGpAQLiexAAtbjaTFKJVuHTufpxEsaUy3SehyWx6aCJ hMkKyk8hRGiLbFKqjMt4Xyk6gWtHR4pKNS6WanLDACCj6V5fomAlXwqbcxtoYaGs JO1UMyXdVqc3eBjCntZhqfEYpzK2yGFzqOM/rTYrlwRrbt6ZNkrS+GjgRrIK38wR rBUQz/aIAah0X8loDrRZ1+GSDDQEsXZBmmU74Ywx4tR3oysgz3oj90rcebVBcxQH Mnd0y+4IIfTG3C14i/stYZrc5qaVsaLrB/n5FaJx3izQy3tO2KZrnTMrrt93uod4 8HU6ae3Q3m0vPHt1vyyKiLcsMkTDRJAq98Dx/36UIQLq6xyU3Eu5XSMqye0jp2kS EYALgZbdVSdjgQTjRA8qh9BeBgFnR83h0R6dxpy9c1E8FDtBQM1OsdGP+VQrUPqW RS/LsgrOQAi+cBlg70diCy9RkWXtlnq0sK2wW6TNsg60VdNcmJzt0ioV1WaFNOZz qEaX6z0qgMKPMyioYWefAVNmbxAHNg55HXS3cVTe2SNbvDtoPPDzL/FLqYPnDuzZ n14dwo7sF3HZ947Dh/iBZn1urpg7z/sHJ3U9GM5m//0dIzIfrltGMyScaEsWV5wT qwXYMAhRmBb0Xsw8df3/10o/47qKBl7/9G32CrkA/MGQX1Bfjs0Yle6M83aHMLbf iXg+JTP1OHY= =oE5V -----END PGP SIGNATURE-----