Dougal Campbell's geek ramblings

There is some misleading FUD going around about a vulnerability in WordPress 1.5.2.

Let’s get this out of the way plainly: There is not a code execution vulnerability in WordPress 1.5.2.

Now, a little more explanation of how this came into question: There was some communication between the person who discovered the problem (Stefan Esser, to the best of my knowledge) and Matt. Matt formulated a fix, which was checked into the repository and which went through a couple of iterations. At some point, Matt posted a new downloadable archive on wordpress.org. But then he realized that the bugfix wasn’t complete. He updated the code again, and posted a new archive for download. At this point, Matt posted the official announcement of the availability of WordPress 1.5.2.

Unfortunately, the security researcher downloaded the faulty 1.5.2 archive (before it was announced, remember), and concluded that the new release was still vulnerable. But again, this is not the case. If you downloaded the new version anytime after the official announcement was posted, then your version is safe from this problem.

The only problem here was one of communication. In the interest of fairness, Stefan acknowledged the update (though in a confrontational manner).

UPDATE: As pointed out in the comments, I was incorrect about the timeline of events. There was a period of time after the announcement of the new version when the faulty archive was still up. So, if you downloaded before approximately 05:00 UTC (09:00 EDT) on August 15, then you should re-download. Also, though I don’t necessarily like the way that Stefan has handled his end of things, I do appreciate that he provided the appropriate fixes to us.