New Wordpress exploit also affects version 2.0.6
An exploit has emerged for the Wordpress blogging system which may, under certain circumstances, affect the current version 2.0.6. As a result of a bug in PHP, the exploit allows an attacker to read the administrator password hash and, following slight modifications, to make arbitrary changes to the Wordpress database. The attached commentary suggests that it only works on servers with an older version of PHP and also requires the insecure configuration option register_globals = on.
Initial speculation linking the exploit to the recent defacement of the StudiVZ blog has not, however, been confirmed. The owners of the blog had just recently updated to version 2.0.6. PHP security expert Stefan Esser has told heise Security that he suspects that the attackers did not gain access to the StudiVZ server by using the new exploit. He considers it far more likely that the attackers had already gained access via a previously identified vulnerability in Wordpress 2.0.5, which had been running at the site for some time, and had merely waited for a good moment to deface the site. The exploit for the previous version, which has been available for some time, requires neither specific versions of PHP nor register_globals = on.
According to Esser, the bug which is exploited by the new exploit is not in Wordpress itself, as it includes security queries against the intrusion technique used. According to Esser, however, if a server is running a version of PHP which contains the zend_hash_del_key_or_index bug, this protection can be circumvented. PHP versions prior to version 4.4.3 or 5.1.4 are affected, where patches have not been applied. The vulnerability is not present in current Linux distributions. The vulnerability was also fixed back in August for version 4.3.10 from the Debian stable.