A couple months ago, Technorati announced that users of Wordpress needed to upgrade to the latest available version (now at Version 2.5). This week, Technorati announced that blogs remaining vulnerable to identified security exploits may no longer be indexed by their service.

Because of this ongoing problem, we're discontinuing processing crawls of blogs that exhibit common symptoms of being compromised. We strongly recommend upgrading your WordPress installation. Even if you haven't been afflicted by a compromise, by the time you are aware that you have been a number of negative consequences may have already occurred (for instance, flagged spam by Technorati, Google or Yahoo!) -- this has been reported by many WordPress users.

By not upgrading your software, the search engine services may block your site from being listed. I can't think of a greater incentive to update your content management software to the latest version than the threat of being delisted. This is a bold move by Technorati. I'm personally glad Technorati is taking a stand against sites hosting older versions of Wordpress with the known security holes. In my opinion, there really isn't a good reason you shouldn't be upgrading your Wordpress site to the latest version.

Serendipty 1.3 has been released. This new version of the blogging applications introduces 41 changes. Not only are enhancements and additional features introduced, but also changes to address a nasty cross site scripting issue (security exploit).

Some of the more significant features and enhancements for Serenditpity 1.3 include:

• The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
• Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
• Import scripts for phpNuke and lifetype.

A couple articles regarding a Joomla site for Harvard's Graduate School of Arts and Science being hacked. The twist in this is that the database was made available via BitTorrent. Luckily, for Joomla! users, early reports indicate the hack was due to weak password usage and not an actual exploit in the Joomla! software.

• Harvard Site Hacked and Leaked on BitTorrent - TorrentFreak
• Harvard Web site hacked, database on file-sharing site - ComputerWorld

Updated versions of MediaWiki to address some security issues has been released for MediaWiki 1.11.1, 1.10.3, and 1.9.5.

This is a security and bugfix release of the Fall, Spring, and Winter 2007 snapshot releases of MediaWiki. A potential XSS injection vector affecting api.php only for Microsoft Internet Explorer users has been closed.

To work around the vulnerability without upgrading, you may disable the API if you don't need it:

~ $wgEnableAPI = false;

Complete Story

Yes, Wordpress and XOOPS are two completely separate projects, but they do have at least one thing in common. Both Web applications were updated this past week to adddress known security vulnerabilties.

This is why I'm very cautious in using any type of search engine toolbar (Google, Yahoo, etc).

Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software on a system, a security researcher warned Tuesday.

The flaw lies in the mechanism Google Toolbar uses to add new buttons on the browser. Because the toolbar does not perform adequate checks when new buttons are being installed, a hacker could make his button appear as though it was being downloaded from a legitimate site when in fact it came from somewhere else.

More information can be found at InfoWorld.

This issue has been assigned CVE-2007-5741.

Affected versions

• Plone 2.5 up to and including 2.5.4
• Plone 3.0 up to and including 3.0.2

These fixes are included in the 2.5.5 and 3.0.3 releases, at which point this hotfix can be removed."

Complete Story

"I have been alerted to a serious issue with the e107 Gold System plugin. Normally we try not to mention vulnerabilities with plugins as this is not our code and it's much harder for us to get it fixed.

However, in this instance I know the exploit is out in the wild so I thought it was serious enough to mention it here. I have alerted the author of the code and hopefully a fix will be out soon."

Complete Story