The MU forums have moved to WordPress.org

WordPress MU 1.3.3 (11 posts)

  1. donncha
    Key Master
    Posted 11 years ago #

    WordPress MU 1.3.3 has just been released and again is a must-have upgrade for all users. It syncs with WordPress 2.3.3 which is a major security update.

    If you haven't upgraded to 1.3.2 then you need to skip that and go to 1.3.3 right now. Here's a list of the security fixes in 1.3.2:

    1. The options pages were overhauled and security tightened. Alexander Concha released an exploit that allows any user with, "'manage_options' and 'upload_files' capabilities" to execute arbitrary PHP code. Here's the exploit. I hope you've all upgraded.
    2. The signup page authentication was missing where new user registration was turned off. A carefully crafted POST could create empty blogs. (I just want to thank the spammers who attacked my dev server with this, it helped me find the exploit, thanks guys!)
    3. Alexander also discovered that file size on upload wasn't checked all the time.

    Download 1.3.3 at http://mu.wordpress.org/download/

  2. GIGALinux
    Member
    Posted 11 years ago #

  3. Trent
    Member
    Posted 11 years ago #

    That was quick. Thanks Donncha!

    Trent

  4. adamrbrown
    Member
    Posted 11 years ago #

    Do the security issues also affect the 1.2 branch?

    I'm waiting until the end of the quarter to upgrade from 1.2.5a since things are just too crazy while class is in session.

  5. webmastermemento
    Member
    Posted 11 years ago #

    It doesn't solve the cookie problem:
    http://mu.wordpress.org/forums/topic.php?id=7293&page&replies=13

    By the way is the team developping Wordpress Mu the same than the Wordpress Single Blog ? If yes why is there such problem with Wordpress Mu whereas it is non-existant with Wordpress Single Blog ?

    Thanks.

  6. nocomment
    Member
    Posted 11 years ago #

    Hello

    Sorry if this is dumb, but just started to use Mu again and have made the upgrade as recommended.

    On WordPress and formerly on WordPress Mu, you could see which version you are running from control panel footer etc. This seems to have disappeared and I did not get the upgrade warning you get with ordinary WordPress.

    Or have I missed something?

    Thanks

  7. billnoyes
    Member
    Posted 11 years ago #

    I had to think about that one too. You can view the version.php file located in wp-includes and it will tell you all the version info, including the DB version.

  8. bloggus
    Member
    Posted 11 years ago #

    Thanks donncha! Speedy-donncha!

  9. donncha
    Key Master
    Posted 11 years ago #

    adamrbrown - yes, most definitely. Any and all WordPress MU versions are vulnverable to the options exploit.

    webmastermemento - I haven't seen that problem myself, but I don't use IE. It's not exactly clear where or why the the error is because it works fine for most people. Anyway, this is a core WP issue as it affects both project. Maybe you should reopen this ticket as it's the same code.

  10. jackiedobson
    Member
    Posted 11 years ago #

    This is the solution that solved it for us

    Link

    It leads to a comment by clevermonkey on that blog.

  11. jamescollins
    Member
    Posted 11 years ago #

    Thanks donncha!

    Upgraded our setup from 1.3 to 1.3.3 and we haven't found any problems so far.

About this Topic

  • Started 11 years ago by donncha
  • Latest reply from jamescollins