PHP XMLRPC Remote Code Execution Vulnerability affecting Popular Blogging and CMS Platforms like WordPress 1.5.1.2 (and lower), PostNuke, Drupal, b2evolution TikiWiki etc.

July 5th, 2005 WordPress is a very popular personal publishing platform aka blogging platform (with a primitive CMS) in use all over the web. There are a number of serious security vulnerabilities in WordPress that may allow an attacker to ultimately run arbitrary code on the vulnerable system.

November 9th, 2005 There are few reports of an attack by a new Linux worm called Lupper which exploits a well known PHP XMLRPC implementation vulnerability. PHP XMLRPC implementation is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, Xoops, PHPGroupWare, TikiWiki etc.

August 13th, 2005 A command execution vulnerability has been found in WordPress's handling of incoming cookie information which allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On. Already a perl and php exploit is available.

November 14th, 2005 A vulnerability has been reported in Macromedia Flash Player 7, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to missing validation of the frame type identifier that is read from a SWF file.

June 12th, 2005 I was unable to send trackbacks and pingbacks after I tested with WordPress 1.5.1.2. I found the solution yesterday.

June 30th, 2005 WordPress developers have posted yet another "security" update. Again, as always, you have to delete everything (except wp-content/ and config.php) and re-install from scratch.

June 20th, 2005 I looked at the proposed feature set summary for WordPress 1.6. Mostly UI changes, few extra plugin hooks etc.

February 19th, 2005 Doug Pardee has given me an excellent introduction to B2Evolution and Expression Engine. If you are like me looking for a better blogging system you should check out his his comments on this post on privacy policy.

December 16th, 2005 A cross-site scripting (XSS) vulnerability has been discovered in the Apache httpd server's mod_imap module which allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. Input passed to the image map "Referer" directive in "mod_imap" isn't properly sanitised before being returned to the user.

June 29th, 2006 Fresh security problems found in Microsoft Internet Explorer that can allow attackers to take over a system or read private information from other Web sites. One of the bugs also affects Firefox.

April 26th, 2009 A comforting day indeed. Matt Mullenweg is the author of the popular blogging software , WordPress.

December 19th, 2006 Drupal is known to be geeky (read hard) for casual CMS users. Drupal was all set to change its geeky image with a super cool theme - Garland.

July 18th, 2006 Naveed has discovered a vulnerability in Microsoft PowerPoint, which potentially can be exploited to compromise any user's system. The vulnerability has been confirmed on Windows XP SP2 with a fully patched PowerPoint 2003.

January 24th, 2007 WordPress, a popular blogging software, has released version 2.1 with many exciting features and over 550 bug fixes. The key features are: Autosaving of posts - It has incorporated the features of tw_autosave plugin in the core.

May 28th, 2005 WordPress team has come up with yet another security fix (1.5.1.2), which fixes the fix (1.5.1.1), which fixes the fix (1.5.1), which is a fix for undisclosed security defects in WordPress 1.5. Update: Now it should read: WordPress team has come up with yet another security fix (1.5.1.3) which fixes the (yet another undisclosed security risk) fix(1.5.1.2), which fixes the fix (1.5.1.1), which fixes the fix (1.5.1), which is a fix for undisclosed security defects in WordPress 1.5.