udippel

Downloaded and ran the exploit, but also here, it would not want to do anything and died …

I also generate the passwords as random; so no easy guessing.

Still, the underlying vulnerability is scary, and ??

Hoping for a patch, nevertheless.

Yes, it looks good: Just had to be very careful: It would always jump back to the old URL while getting in as admin. Once I changed to the new URL and updated, everything was fine.

I didn’t really try; but would it not work better (at least easier), if you entered the new URL already on the old site, clicked ‘Update’ and made a backup then ?

Thanks so much ! I’ll try tonight …

And sorry for missing the ‘Moving’ in codex. Probably I was thinking too technically and searched ‘backup’ and ‘restore’.

I hope to understand the problem by now: Since I move to another URL, I need to substitute all the old URLs with the new ones, right ? That is, update all references.
Is a simple, single update in the admin panel of WordPress on the new server really enough ? I found the following in a set of great ‘HowTo’: (https://www.tamba2.org.uk/wordpress/move/)

“[…] download this file: SCR 1.0.002 Freeware edition (13KB) . Use that to search and replace your website url with your Xampp url.”

I have windows, but no Windows; and I don’t understand the rest either. From this description, you’d have to ‘find…replace’ a plurality of occurrences.
Is there any other method ? I don’t mind using native SQL if I knew more about the structure of the tables.

Do I at least understand the matter correctly ?

If it is still relevant to you, I am in a very similar position and I hacked together a solution of a different approach: a plurality of individual blogs (‘plural blogs’) to be set up within minutes.

Check https://metalab.uniten.edu.my/~uwe/resources/HOWTOs/Wordpress2.html

for details.

Download the files, and issuing

blogadd foo

will create everything, copy the files, create the database and setup wp-config.php for a plurality of users; I have 150 potential users, btw.

This is *not* multiblog; but on modern harddisks we have sufficient space to bite the (wordpress) bullet and have each user having her own files in her user directory.

My work of last weekend; so feedback is welcome !

Uwe

Look, don’t scold me for *some* ability to use shell commands. Otherwise I couldn’t be admin.
And don’t make me angry with “because you don’t need any of them”. I do need these for wordpress, because unfortunately it doesn’t support multi-blog.

Now, here is the solution: The file that I downloaded yesterday:
ls -l latest.tar.gz
187996 Oct 21 19:54
The one that I downloaded today:
ls -l latest.tar.gz
298514 Oct 22 16:59

Believe me or not (I keep the one !) the file of yesterday un-tars without problems. So I didn’t expect anything wrong with the archive.

Meaning, at one moment yesterday there was an incomplete archive in the download area.
My only explanation. My fault: I ought to have thought of downloading another time.

Thanks for all the pointers and help, nevertheless ! I appreciate your quick reactions and efforts to get things solved !

Uwe

My last comment here:
I set the mysql log and found that no query has been sent to the database.
I ought to have checked before ! So it is nothing to do with the database.
The very moment a wp-config.php exists, the whole thing craps out and displays blank or – if wp-config.php is a text file – that text file.

No, alas.

rm -Rf *
tar xfvz ../latest.tar.gz
[Point browser to it: “There doesn’t seem to be a wp-config.php file. I need this before …”]
[create new database with mysql]
cp wp-config-sample.php wp-config.php
vi wp-config.php
[edit new database particulars]
[Point browser to it:]
*Blank*
‘View Source’: nothing

What now ? Still no bug of 1.5.2 ? What then ?? What am I doing wrong ??

Ah, thanks for the hint. So what you’re saying is, that the database schema has changed and I cannot simply connect my users to a database ‘touched’ by 1.5 once the version is at 1.5.2. Is that correct ?
I need to know, because the database(s) have been created with a php-script several months ago; and *maybe* been touched with 1.5 for testing and experimental reasons.

Thanks,

Uwe

Sorry, I ought to be clear and clean:
The existing blog is empty. It was a test. It ran. That’s all.
Now I intend to roll out the thingy for some 150 users; and I don’t want to do so with 1.5 for security reasons as everyone will understand. So I made a fresh install; got that “There doesn’t seem to be a wp-config.php file. I need this before …”
I created one – puff – blank page. I copyied the wp-config.php from the old test-1.5 into the directory: still blank. I ‘rm -Rf *’ and copied the whole wordpress-directory from the backup into there and got the setup-screen; meaning everything is okay.
And so forth and back, three times.

This is why I have zero interest in ‘upgrade’; but a huge one in ‘fresh install’. And now I wonder why the fresh install craps out.

No, I didn’t. But if you read my post again: my concern is *not* the upgrade !
My concern is that I seem to be unable to run a *fresh install* of 1.5.2 on my box. Which is what I did: a fresh install. Neither editing a new wp-config.php nor copying the ‘old’ one (1.5 to 1.5.2) seem to get me more than a blank page.

Should I not be able to install 1.5.2 from scratch ?? After I managed to get 1.5 up and running ?
Serious question: Is a fresh install supposed to run properly with the wp-config.php of 1.5 ? Maybe not. But still: how do I get a clean install up and running then ?

Thanks for the pointer. Really.
I still would appreciate something like this (further down) linked to from the home page; including the e-mail link.
This would show security concerns openly; I would not have felt a need to post this in here.
Open Source also means transparancy; and a contact mail for concerns.
Maybe you can think about less obfuscation. It would have avoided this thread.

Uwe

Every single reader here is invited to participate in WordPress’ development. If you notice problems, please log them at trac.www.ads-software.com. If you discover a severe vulnerability, email [email protected]. The Open Source mantra is “With many eyes, all bugs are small.” By working together, we can squash bugs and make sure that WordPress is as secure as it can be.

Of cause I did. Maybe it is a disappointing search function ? ??

Definitively I also tried the main page; there was no hint; there is no ‘news’; tried the ‘support’ page, and there was no topic ‘security’, but:

404 admin archives blog calendar categories category comments CSS database email Error feed gallery header help htaccess IE image images Import installation link links login MySQL page Pages permalink permalinks photoblog php plugin post posts problem review RSS search sidebar tags template Theme upgrade wordpress

Seriously, it should not be the secunia advisory pointing out possible problems, but WordPress home, support, news or whatsoever. IMHO.

Try it out: Type ‘security’ in the search box; and what you get is older than 3 weeks; the first doc of May 2005 (if memory serves well).

Thanks everyone; I’m done !

I had two problems:
One with the mysql-socket in OpenBSD’s chroot-jail setup;
then I could connect phpmyadmin.
Still, the database problem could only be ‘solved’ by completely removing mysql-server and putting it back.
Then the description created – as expected – the correct user parameters immediately.

(I hate this as ‘solution’; but in the end it was the only one).

Thanks again,

looking forward to start blogging …

Uwe

Got somewhat further:
Though I followed the description, what I have is finally a user without password; and can connect, but not select.

Strange, since I followed the description using PhPMyAdmin, and did it again, following “Using the MySQL Client”.

By now it looks like a mysql problem more than a wordpress problem; respectively a problem of the description how to create the user and the database; respectively my understanding of it.

mysql> CREATE DATABASE uwedb;
Query OK, 1 row affected (0.01 sec)

mysql> GRANT ALL PRIVILEGES ON uwedb.* TO “udippel”@”hostname”
-> IDENTIFIED BY “mypass”;
Query OK, 0 rows affected (0.01 sec)

mysql> EXIT
Bye

This is where I can connect to; without password, and without selection:

define(‘DB_NAME’, ‘uwedb’); // The name of the database
define(‘DB_USER’, ‘udippel’); // Your MySQL username
define(‘DB_PASSWORD’, ”); // …and password
define(‘DB_HOST’, ‘localhost’);