On Monday 18 May 2009 08:49:54 Grant Baillie wrote: > 2) I noticed Jared's "OSAF/Chandler Outage Report for 2009-04-28" > post, i.e. > > http://blog.chandlerproject.org/2009/04/29/osafchandler-outage-report-for-2 >009-04-28/ > > is showing up blank.
Actually, it was spamjacked. View source on that posting; bleah. It shows that our blog has been hijacked. I have no idea how, but I've been prepping an "update wordpress to 2.7.1" project for a couple days. Oddly, the first step in a full wordpress update is "disable all the plugins" but I hadn't performed that yet. Odd coincidence. I don't know what's up with the comments-are-off thing either. I noticed we had a huge round of bogus comments going back to all kinds of old posts a couple days ago; I remember thinking "we should start turning off comments on old posts" but I didn't do anything about that yet either. I'm somewhat worried about the security breach; I don't know how it happened. The behavior looks very similar to the last big security problem with wordpress (xmlrpc.php), where bad actors can act as another user and update their posts. But we hotpatched for that issue and I can't find any announced problems in subsequent releases. I'll take a careful look at the configuration when I do the update. I've always considered wordpress a security risk; their track record is not good. Packages with lots of security holes in the past are likely to have lots of security holes in the future. TWiki is in the same category. -- Jared _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "chandler-dev" mailing list http://lists.osafoundation.org/mailman/listinfo/chandler-dev
