WordPress 2.3.2 Is Out

By Daniel Scocco

Last week Cybernet covered a WordPress bug that allow any user to view your draft and pending posts. This bug is not critical in terms of security, but it sure can be a problem if people start ripping off posts that you haven’t even published yet!

The post has a quick fix if you want to protect yourself without needing to upgrade. The best option would be to upgrade your WordPress to version 2.3.2 though, which was released to fix this problem.

The new version also integrates a custom error page for database errors (the one that shows when the site is not able to connect with the database).

Monetize Your Site




Share

23 Responses to “WordPress 2.3.2 Is Out”

  • Caribbean Web Development

    whew, yet another update

  • The How-To Geek

    It’s important to note that this security hole affects all versions of WordPress, even MU and much older versions.

    You can patch the older versions by manually applying the couple of lines of changes linked in the trac issue. The patched query.php file doesn’t exist in older versions of WordPress, that function is found in functions.php instead.

  • Daniel

    Thanks for that Geek, I saw you provided the patch on the other article.

  • The How-To Geek

    Yes, that was a temporary hack… I only suggested it to Ryan, but he actually tested it out.

    Now that they’ve properly fixed the issue, it’s probably wisest to use the patch in the WordPress trac issue when patching your blog.

    Direct link: http://trac.wordpress.org/ticket/5487

    Of course upgrading to the very latest version of WordPress is the best solution, it’s just not always an option for everybody (like me)

  • djbaxter

    “The new version also integrates a custom error page for database errors (the one that shows when the site is not able to connect with the database).”

    Yes. At least. that’s the hot rumor. But exactly where do you find. activate, and customize this option? I see nothing in the Admin CP at all, and no documentation beyond the fact that it is supposed to exist.

  • Daniel

    djbaxter, I think you need to create a db-error.php template, and that one will be used whenever there is a database error as the default page.

    You can just copy your current 404 page, add any modifications you want, and save it as db-error.php and put it together with the other php pages.

  • The How-To Geek

    The db-error.php file actually needs to be in the wp-content/ directory. You can see the include statement on line 1426 here:
    http://trac.wordpress.org/changeset?old_path=tags%2F2.3.1&old=6528&new_path=tags%2F2.3.2&new=6528#file7

    It’s not a regular WordPress template file, just put your html into it… keep in mind that your database is down if that file is ever being loaded, so you can’t really use anything dynamic. Also note the die() line right after including the db-error file, so that’s pretty much the only thing that will be processed.

  • djbaxter

    Thanks, folks. Following up on that, I created a db-error.php file containing the following:

    >

    Database Error

    Error establishing a database connection

    That basically displays just the message “Error establishing a database connection” with no other information that might be helpful to a hacker, and then dies. Correct?

  • djbaxter

    Oops. I don’t know how to display the raw code here. However, I’ve posted it at http://www.theadminzone.com/forums/showthread.php?p=313965#post313965

  • Daniel

    That is pretty much what the standard page from WordPress would display :).

    The ability to create a custom one is handy if you want to give some other information to your visitors, like some related links or places where they can go while your site is not available.

  • djbaxter

    Yes, I understand that. I’m just trying to get it to work at the moment.

    But I am confused now. One occasionally sees very detailed error information on blogs including server-level file paths. I thought the point of adding the db-error.php option was to prevent that happening.

    Does this not do that? Or has the new version effectively eliminated those detailed error messages from being displayed to visitors?

  • Daniel

    If I am not wrong WordPress has a standard DB error page that will only show a message, and it will not disclose any sensitive information.

  • djbaxter

    Then let me ask the next question: Does this “new” option actually provide any new functionality at all to the average blog?

  • Daniel

    It is like customizing a 404 error page. The standard one “gets the job done,” but you can always tweak it a bit to offer a better experience to your visitors.

  • djbaxter

    OK. From the WordPress announcement, I guess I had the mistaken impression that this was intended to fix a potential security vulnerability, rather than simply add customization.

    Thanks for the replies. 🙂

  • marco

    Update is done as allways pretty smooth

  • Matej

    Can anyone tell me what’s the name of wordprees plugin which informs unverified e-mail subscribers to verify their subscriptions?

    I know it’s off topic but it’s about WordPress 😉

  • Daniel

    @Matej

    http://techie-buzz.com/wordpress-plugins/notify-unconfirmed-subscribers-plugin-release.html

  • Matej

    Thanks Daniel

  • Frank

    This bug is not critical in terms of security, but it sure can be a problem if people start ripping off posts that you haven’t even published yet!

    Is this a real blogging problem? Do people rip-off other bloggers with regularity?

    I don’t think I have anything to worry about, given that my blog is pretty personal, I am just curious.

  • Daniel

    Frank, yeah this is a big problem once your blog gets some attention. If you consider big guns like TechCrunch or Mashable I would say that each post they publish gets ripped by some 10 sploggers anywhere, if not more.

  • Frank

    Damn, that’s a lot of theft! Guess the best thing to do is not get popular LOL (although one wouldn’t make any money that way)

  • Chrissy

    Daniel – I am a total tech moron and I’m scared to death of the update process….can you tell me how “necessary” it is? I think I know the answer – very – but I’m afraid of seriously messing something up. Can you put my fears to rest in some way?

Comments are closed.