WordPress benytter usikre opdateringer 🔗

Scott Arciszewski har sendt et indlæg til mailing listen oss-security hvori han beskriver WordPress uheldige valg af dårlig opdateringsmekanismer. Problemet betyder, at det er alt for let at lokke WordPress til at installere ondsindet kode, der giver kriminelle kontrol over din organisations hjemmeside.

This is the function that fetches downloads from the WordPress update servers: https://github.com/WordPress/WordPress/blob/f5b6731777bbd1dfe290867d2240a2a68e2f0cf1/wp-admin/includes/class-wp-upgrader.php#L252-L283

The only verification it offers is an MD5 checksum, which is sent by the server that also serves the file: https://github.com/WordPress/WordPress/blob/eeefec932f3d4f3b50369f6523c2cd8fad3d467f/wp-admin/includes/file.php#L482-L52

Kontakt Alex fra Holst Sikkerhed hvis du har brug for, at din hjemmeside er mere end almindeligt sikker.