

 0-day vulnerability on WordPress 3.x (remote command execution) - sucuri2
http://blog.sucuri.net/2011/04/serious-security-vulnerability-on-wordpress-3-x-remote-command-execution.html

======
nbpoole
Lying about a highly dangerous 0-day in a very widely distributed piece of
software seems in bad taste, even for April Fools Day.

~~~
fredoliveira
particularly when you also implicate someone specific in the process.

~~~
nbpoole
Indeed.

The danger is that people will read "0 day" and start freaking out. If you
actually read the post, you see a couple warnings signs:

1\. They claim it's part of a larger conspiracy and that people should sue
Automattic.

2\. The "vulnerable" filename is wp-att.php, as in AT&T

3\. They point out that the MD5sums to trigger this behavior come from the
words "remote_control" and "nsa"

But even noticing that, I still felt the need to log in to my server and make
sure the file didn't actually exist; when someone cries "0 day", it would be
irresponsible of me not to, no matter how crazy they sound.

------
mikecane
OK, if that was April Fool's, it's in very, very bad taste. People like me who
aren't hackers or technically savvy will take it seriously. I tweeted it
around. At the end they could have at least said April Fools, FFS!

------
cheald
There's April Fool's jokes, and there's "seriously nasty month-ruining
unpatched exploit in the wild". This is not a good example of the former.

