EDIT: Thank you Connie for bringing up the issue about the PacketStorm advisory regarding this issue. I’ve added a link to that advisory at the bottom of this post.
Over at Weblog Tools Collection, an article was posted earlier today regarding a vulnerability in version 1.0 of the Deans Permalinks Migration Plugin. The said vulnerability involves XSRF or Cross-site request forgery and allow the attacker to steal valid credentials.
The person who found out about this vulnerability and goes by the name g30rg3_x has an explanation for this vulnerability:
Since the variable $dean_pm_config[’oldstructure’] its not correctly sanitized (when retrieving), this allow any user to store/save “malicious code” inside the database and later be injected this “malicious code” when the data is retrieved. Using the XSRF as a “combo” we can create crafted pages that will force users to conduct this injection and steal some valid credentials to the WordPress based CMS.
As a normal procedure or etiquette for developers and programmers, g30rg3_x contacted the plugin author first to notify him about the vulnerability. But after several failed attempts, he took it upon himself to create and provide a fix for this plugin vulnerability.
If you’re currently using the Dean’s Permalink Migration Plugin version 1.0, it is strongly advised that you deactivate it and/or download/install the modified version to keep your blog secure. You can download the special sub-version 1.1-gx here.
If you want to read the PacketStorm advisory regarding the Dean’s Permalinks Migration Plugin vulnerability, click here. You can find this at page 20 of PacketStorm’s January advisory archives.
Hopefully no one gets victimized by this vulnerability. Have a fun and safe weekend everyone!
@Connie – Hi there! Thanks for bringing that up. I totally forgot to mention about the PacketStorm advisory and to provide the link to it. Anyways, I’ve added a link to the original Packetstorm advisory which you can find in page 20. Again, thanks for the heads up! :D
So where’s the link to the packetstorm advisory? I checked the weblogtools link, found none. I checked all advisories released by packetstorm for January 2008 (http://packetstormsecurity.org/0801-advisories/) and there’s nothing there either.
Isn’t it just as possible that he who claims vulnerability in Dean Lee’s plugin was the one who injected the vulnerability in the revised version?
Shouldn’t the revised version be double checked first before advising people to download it?
@trench – Before I changed my permalink structure, I was also scared to do it. But when I saw other bloggers do it and figured out how to do it, I got enough courage to do it. The Permalink Redirect plugin helped a lot because all traffic that was going to the old permalinks was directed to the new ones.
Btw, I noticed that after I changed the permalinks structure, my SERP rankings improved. :)
yeah, Im to chicken sh*t to try and change my permalinks now! very risky business! I've been getting incredible traffic and my latest PR was 5. So, got to stay focused! haha
@bluep – Ei, how you doin? Long time no see. Good to know that someone is learning and gaining new knowledge or acquiring new information from my blog. That’s the main reason I blog and what keeps me going.
Glad you like the theme. There are many magazine type themes that are widget ready so maybe you can try the other ones if you’re having a hard time with Mimbo. Btw, your current theme looks very nice and you did a great job with it.
You have a good weekend too & God bless! :)
hello jaypee. I haven’t tried this before. Dami ko talaga nahuhukay na plugins dito sa blog mo.
anyhow your new theme is very grand. its like the mimbo theme which resembles an online magazine. I love this magazine type of theme. the mimbo was supposed to be my current theme pero i find it hard to meddle with the codes kaya i just went for the usual widget friendly.
Have a nice weekend jaypee.
@jhay – I almost used this plugin when I changed my permalink structure. Good thing I decided to use the Permalink Redirect plugin.
Haha you read that comment? Anyways, yeah I’m on the lookout for a new reliable webhost. If you want the detailed version, I’ll tell you via IM. :D
It’s a good thing I don’t use this plugin, or any plugin that tinkers with my permalinks. Messing around with it is too risky in my thinking. Once a plugin screws up, your permalinks gets screwed up, and say good bye to PR and traffic. :lol:
BTW, read from iRonnie that you’re planning on switching hosts? Could you tell the story why? I’m just curious, coz you’re leaving DreamHost? lol