WordPress 2.3.2 Is Out

Last week Cybernet covered a WordPress bug that allow any user to view your draft and pending posts. This bug is not critical in terms of security, but it sure can be a problem if people start ripping off posts that you haven’t even published yet!

The post has a quick fix if you want to protect yourself without needing to upgrade. The best option would be to upgrade your WordPress to version 2.3.2 though, which was released to fix this problem.

The new version also integrates a custom error page for database errors (the one that shows when the site is not able to connect with the database).

Daniel Scocco on December 31, 2007 Subscribe to our RSS Feed

Got the Daily Blog Tips Newsletter?

  • Tips and tricks to improve your site
  • The latest trends and opportunities
  • Useful online tools
  • It's free!

Related Articles

Bookmark

23 Responses to “WordPress 2.3.2 Is Out”

  1. Caribbean Web Development on December 31st, 2007 7:43 am

    whew, yet another update

  2. The How-To Geek on December 31st, 2007 7:47 am

    It’s important to note that this security hole affects all versions of WordPress, even MU and much older versions.

    You can patch the older versions by manually applying the couple of lines of changes linked in the trac issue. The patched query.php file doesn’t exist in older versions of WordPress, that function is found in functions.php instead.

  3. Daniel on December 31st, 2007 8:06 am

    Thanks for that Geek, I saw you provided the patch on the other article.

  4. The How-To Geek on December 31st, 2007 8:44 am

    Yes, that was a temporary hack… I only suggested it to Ryan, but he actually tested it out.

    Now that they’ve properly fixed the issue, it’s probably wisest to use the patch in the Wordpress trac issue when patching your blog.

    Direct link: http://trac.wordpress.org/ticket/5487

    Of course upgrading to the very latest version of WordPress is the best solution, it’s just not always an option for everybody (like me)

  5. djbaxter on December 31st, 2007 11:35 am

    “The new version also integrates a custom error page for database errors (the one that shows when the site is not able to connect with the database).”

    Yes. At least. that’s the hot rumor. But exactly where do you find. activate, and customize this option? I see nothing in the Admin CP at all, and no documentation beyond the fact that it is supposed to exist.

  6. Daniel on December 31st, 2007 11:37 am

    djbaxter, I think you need to create a db-error.php template, and that one will be used whenever there is a database error as the default page.

    You can just copy your current 404 page, add any modifications you want, and save it as db-error.php and put it together with the other php pages.

  7. The How-To Geek on December 31st, 2007 5:47 pm

    The db-error.php file actually needs to be in the wp-content/ directory. You can see the include statement on line 1426 here:
    http://trac.wordpress.org/chan.....6528#file7

    It’s not a regular Wordpress template file, just put your html into it… keep in mind that your database is down if that file is ever being loaded, so you can’t really use anything dynamic. Also note the die() line right after including the db-error file, so that’s pretty much the only thing that will be processed.

  8. djbaxter on January 1st, 2008 5:30 am

    Thanks, folks. Following up on that, I created a db-error.php file containing the following:

    >

    Database Error

    Error establishing a database connection

    That basically displays just the message “Error establishing a database connection” with no other information that might be helpful to a hacker, and then dies. Correct?

  9. djbaxter on January 1st, 2008 5:32 am

    Oops. I don’t know how to display the raw code here. However, I’ve posted it at http://www.theadminzone.com/fo.....post313965

  10. Daniel on January 1st, 2008 5:34 am

    That is pretty much what the standard page from Wordpress would display :).

    The ability to create a custom one is handy if you want to give some other information to your visitors, like some related links or places where they can go while your site is not available.

  11. djbaxter on January 1st, 2008 5:42 am

    Yes, I understand that. I’m just trying to get it to work at the moment.

    But I am confused now. One occasionally sees very detailed error information on blogs including server-level file paths. I thought the point of adding the db-error.php option was to prevent that happening.

    Does this not do that? Or has the new version effectively eliminated those detailed error messages from being displayed to visitors?

  12. Daniel on January 1st, 2008 5:50 am

    If I am not wrong Wordpress has a standard DB error page that will only show a message, and it will not disclose any sensitive information.

  13. djbaxter on January 1st, 2008 6:04 am

    Then let me ask the next question: Does this “new” option actually provide any new functionality at all to the average blog?

  14. Daniel on January 1st, 2008 6:27 am

    It is like customizing a 404 error page. The standard one “gets the job done,” but you can always tweak it a bit to offer a better experience to your visitors.

  15. djbaxter on January 1st, 2008 6:32 am

    OK. From the Wordpress announcement, I guess I had the mistaken impression that this was intended to fix a potential security vulnerability, rather than simply add customization.

    Thanks for the replies. :)

  16. marco on January 1st, 2008 10:00 am

    Update is done as allways pretty smooth

  17. Matej on January 1st, 2008 1:14 pm

    Can anyone tell me what’s the name of wordprees plugin which informs unverified e-mail subscribers to verify their subscriptions?

    I know it’s off topic but it’s about Wordpress ;)

  18. Daniel on January 1st, 2008 2:38 pm

    @Matej

    http://techie-buzz.com/wordpre.....lease.html

  19. Matej on January 1st, 2008 3:38 pm

    Thanks Daniel

  20. Frank on January 5th, 2008 3:19 pm

    This bug is not critical in terms of security, but it sure can be a problem if people start ripping off posts that you haven’t even published yet!

    Is this a real blogging problem? Do people rip-off other bloggers with regularity?

    I don’t think I have anything to worry about, given that my blog is pretty personal, I am just curious.

  21. Daniel on January 6th, 2008 8:05 am

    Frank, yeah this is a big problem once your blog gets some attention. If you consider big guns like TechCrunch or Mashable I would say that each post they publish gets ripped by some 10 sploggers anywhere, if not more.

  22. Frank on January 6th, 2008 10:42 am

    Damn, that’s a lot of theft! Guess the best thing to do is not get popular LOL (although one wouldn’t make any money that way)

  23. Chrissy on January 19th, 2008 11:22 am

    Daniel - I am a total tech moron and I’m scared to death of the update process….can you tell me how “necessary” it is? I think I know the answer - very - but I’m afraid of seriously messing something up. Can you put my fears to rest in some way?

Got something to say?





Sponsors

Why I recommend Doreo Hosting Flex Theme for WordPress Content rich web directory Ghost Writing Services Online Invoicing For Freelancers advertise here

Recent Articles