[chandler-dev] Chandler Project Blog: Fatal error

Jared Rhine jared at wordzoo.com
Mon May 18 12:25:06 PDT 2009


On Monday 18 May 2009 08:49:54 Grant Baillie wrote:
> 2) I noticed Jared's "OSAF/Chandler Outage Report for 2009-04-28"
> post, i.e.
>
> http://blog.chandlerproject.org/2009/04/29/osafchandler-outage-report-for-2
>009-04-28/
>
> is showing up blank.

Actually, it was spamjacked.  View source on that posting; bleah.  It shows 
that our blog has been hijacked.  I have no idea how, but I've been prepping 
an "update wordpress to 2.7.1" project for a couple days.

Oddly, the first step in a full wordpress update is "disable all the plugins" 
but I hadn't performed that yet.  Odd coincidence.

I don't know what's up with the comments-are-off thing either.  I noticed we 
had a huge round of bogus comments going back to all kinds of old posts a 
couple days ago; I remember thinking "we should start turning off comments on 
old posts" but I didn't do anything about that yet either.

I'm somewhat worried about the security breach; I don't know how it happened.  
The behavior looks very similar to the last big security problem with 
wordpress (xmlrpc.php), where bad actors can act as another user and update 
their posts.  But we hotpatched for that issue and I can't find any announced 
problems in subsequent releases.

I'll take a careful look at the configuration when I do the update.

I've always considered wordpress a security risk; their track record is not 
good.  Packages with lots of security holes in the past are likely to have 
lots of security holes in the future.  TWiki is in the same category.

-- Jared



More information about the chandler-dev mailing list