LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

WordPress 2.1.1 contained a trojan horse

WordPress 2.1.1 contained a trojan horse

Posted Mar 4, 2007 11:34 UTC (Sun) by rickmoen (subscriber, #6943)
In reply to: WordPress 2.1.1 contained a trojan horse by miah
Parent article: WordPress 2.1.1 contained a trojan horse

"miah" wrote:

This is why checksums should also be accompanied by a cryptographic signature.

Exactly so. Note that the main download page doesn't even offer the md5sum, only a tarball or Zip archive. The separate archive page lets you get the md5sums, but you're given no means of verifying their validity; evidently, the developers aren't bothering to sign their releases.

This is the reason why Web apps have been the low-hanging-fruit *ix intrusion vector of choice (aside from phishing and theft of security tokens on compromised hosts) over the last few years -- and why admins should be super-careful about anything they install from upstream tarballs.

Rick Moen
rick@linuxmafia.com

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds