WordPress MU

WordPress MU 1.3.3 has just been released and again is a must-have upgrade for all users. It syncs with WordPress 2.3.3 which is a major security update.

If you haven't upgraded to 1.3.2 then you need to skip that and go to 1.3.3 right now. Here's a list of the security fixes in 1.3.2:

1. The options pages were overhauled and security tightened. Alexander Concha released an exploit that allows any user with, "'manage_options' and 'upload_files' capabilities" to execute arbitrary PHP code. Here's the exploit. I hope you've all upgraded.
2. The signup page authentication was missing where new user registration was turned off. A carefully crafted POST could create empty blogs. (I just want to thank the spammers who attacked my dev server with this, it helped me find the exploit, thanks guys!)
3. Alexander also discovered that file size on upload wasn't checked all the time.

Download 1.3.3 at http://mu.wordpress.org/download/

Blogged at WordPress MU Germany:
http://mu.wordpress-deutschland.org/blog/2008/02/05/sicherheitsupdate-fuer-wordpress-mu-version-133-veroeffentlicht/

That was quick. Thanks Donncha!

Trent

Do the security issues also affect the 1.2 branch?

I'm waiting until the end of the quarter to upgrade from 1.2.5a since things are just too crazy while class is in session.

It doesn't solve the cookie problem:
http://mu.wordpress.org/forums/topic.php?id=7293&page&replies=13

By the way is the team developping Wordpress Mu the same than the Wordpress Single Blog ? If yes why is there such problem with Wordpress Mu whereas it is non-existant with Wordpress Single Blog ?

Thanks.

Hello

Sorry if this is dumb, but just started to use Mu again and have made the upgrade as recommended.

On WordPress and formerly on WordPress Mu, you could see which version you are running from control panel footer etc. This seems to have disappeared and I did not get the upgrade warning you get with ordinary WordPress.

Or have I missed something?

Thanks

I had to think about that one too. You can view the version.php file located in wp-includes and it will tell you all the version info, including the DB version.

Thanks donncha! Speedy-donncha!

adamrbrown - yes, most definitely. Any and all WordPress MU versions are vulnverable to the options exploit.

webmastermemento - I haven't seen that problem myself, but I don't use IE. It's not exactly clear where or why the the error is because it works fine for most people. Anyway, this is a core WP issue as it affects both project. Maybe you should reopen this ticket as it's the same code.

This is the solution that solved it for us

Link

It leads to a comment by clevermonkey on that blog.

Thanks donncha!

Upgraded our setup from 1.3 to 1.3.3 and we haven't found any problems so far.