[chandler-dev] Chandler Project Blog: Fatal error
jared at wordzoo.com
Mon May 18 12:25:06 PDT 2009
On Monday 18 May 2009 08:49:54 Grant Baillie wrote:
> 2) I noticed Jared's "OSAF/Chandler Outage Report for 2009-04-28"
> post, i.e.
> is showing up blank.
Actually, it was spamjacked. View source on that posting; bleah. It shows
that our blog has been hijacked. I have no idea how, but I've been prepping
an "update wordpress to 2.7.1" project for a couple days.
Oddly, the first step in a full wordpress update is "disable all the plugins"
but I hadn't performed that yet. Odd coincidence.
I don't know what's up with the comments-are-off thing either. I noticed we
had a huge round of bogus comments going back to all kinds of old posts a
couple days ago; I remember thinking "we should start turning off comments on
old posts" but I didn't do anything about that yet either.
I'm somewhat worried about the security breach; I don't know how it happened.
The behavior looks very similar to the last big security problem with
wordpress (xmlrpc.php), where bad actors can act as another user and update
their posts. But we hotpatched for that issue and I can't find any announced
problems in subsequent releases.
I'll take a careful look at the configuration when I do the update.
I've always considered wordpress a security risk; their track record is not
good. Packages with lots of security holes in the past are likely to have
lots of security holes in the future. TWiki is in the same category.
More information about the chandler-dev