As reported here, there’s another exploit in the wild that allows a hacker to go through the MetaWebLog API and hack your WordPress blog:

Jason has found a flaw in any blog that supports RSS and MetaWeblogAPI. At first, I thought that it might have been a flaw that was specific to the software that Randy uses, but as Randy shows, the world’s most popular blogging platform, WordPress, is also vulnerable. He was able to “hack” 5 different blogs, using the Host Overflow Application eXception vulnerability in RSS.

That Randy would be Randy Charles Morin of the RSS Blog. Randy turned right around and tested the hack on five other sites, including the blog of Danny Ayers. I chatted with Randy in email and he said he didn’t know of a way to patch WordPress at the moment.

To pick nits, I take issue that some people are talking about this as an RSS hack or an RSS buffer overflow problem. RSS is marked-up text, not an application. The MetaWebLog API (by Dave Winer, ironically) implementation in WordPress (not by Dave Winer) seems to be the problem.

Needless to say, I’m a bit nervous about the whole thing, since inkBlots is running in WordPress. This blog h4×0red using Host Overflow Application eXception.

I’ll post updates / links to a patch as soon as I’m aware of one. I’ve heard there is a patch for TypePad, but the supposed author hasn’t posted anything about it yet.

This entry was posted on Tuesday, October 3rd, 2006 at 04:33 and is filed under syndication. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.