Birmingham: WordPress has fixed a number of security susceptibilities, together with one that could lead to remote code execution on exposed installations. WordPress 3.6.1 is the new, updated release that consists of the fixes and also takes in some non-security bug fixes and stability changes.
The most serious security issue fixed in WordPress 3.6.1 is a remote-code execution vulnerability related to the way that the software holds certain PHP objects. The vulnerability was found out by a researcher named Tom Van Goethem, who reported it to WordPress in April. It took five months for the fix to emerge in a WordPress release. The bug has to do with the way that WordPress deals with some sequential input.
WordPress says the change in 3.6.1 will “Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.” The report of the vulnerability from Van Goethem is a bit more comprehensive.
“Another type of vulnerability that an attacker can use when his data is run through theunserialize() function, is “PHP Object Injection”. In this case, object-types are unserialized, enabling the attacker to set all the properties of the object to his choice. When the object’s methods are called, this could have some effect (e.g. removing some file), and as the attacker is able to decide the properties of the object, he might be able to eliminate a file of his choice,” Van Goethem wrote in an clarification of the bug.
“Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Employ a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.”
Besides, the PHP vulnerability, WordPress 3.6.1 also includes fixes for two other security vulnerabilities:
WordPress also made an alteration to the software that is intended to make cross-site scripting attacks on WP installations more difficult. The change modifies “security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.”
Read more: WordPress Web Development