October 03, 2007
The FeedSmith Plugin: newly fortified as part of this delicious breakfast
This post is a quick note from the foreman down at the FeedBurner ironworks and custom tools depot. If you're a new or longtime user of FeedBurner FeedSmith — our plugin for WordPress that helps ensure you count all of your blog's feed traffic through FeedBurner — there is a recommended security-related update to this plugin for you to download. Here are the details:
Potential security vulnerability
Some WordPress plugins that permit the entry of user-entered values, such as older versions of FeedSmith, can be vulnerable to what is called a "cross-site request forgery." Without getting overly technical, this permits someone to change WordPress plugin settings on your system without you noticing during the time you are signed into your WordPress control panel. And no one wants that.
How to protect your feed
Protect your feed by downloading FeedSmith v2.3, available; download it now. This newest release ensures that the only person who may change FeedSmith settings is the administrative account that is signed into your WordPress control panel. If you are following our WordPress QuickStart guide to get started with FeedBurner, the link to download FeedSmith provided in that QuickStart has already been updated to point to v2.3. To verify the version of the plugin you have, you can visit the "Plugins" tab within the WordPress control panel and look for FeedSmith's entry; the version number is displayed in that entry.
If you currently use FeedSmith on your WordPress-powered site, follow these instructions to update this plugin.
- Download version 2.3 of the plugin.
- Sign in to your WordPress admin control panel.
- Under Plugins, locate the current FeedSmith plugin, and click "Deactivate."
- Copy the plugin file, FeedBurner_FeedSmith_Plugin.php into your default WordPress plugin directory, wp-content/plugins/
- Reactivate the plugin by logging in to your WordPress administration area, clicking Plugins, then clicking Activate at the end of the "FeedBurner FeedSmith" row.
At the end of this process, v2.3 will be active and will use your existing feed redirection settings; there is no need to re-enter them. You will also be protected against any potential request forgery attack.
We'd like to thank Blog Security for their recent writeup of this potential exploit. Software is fun!
Comments
Thanks for alerting us about this. I went ahead and updated my blogs.
Awesome, thank you! I'm going to update my blog right now. :-)
Hmm... the people who find these security exploits must either have way too much free time or they are absolute geniuses (or both).
Anyway, just upgraded, went smoothly like always :)
Thanks for the update. It seems every day there are more and more ways to exploit everything. At least the community let's us know though.
great upgrade, thanks for the update..
Raoul, we don't have alot of time at all champ, its just what BlogSecurity.net is all about.
Thanks again to Feedburner for their quick response to our advisory. If only more vendors would follow your guys example.
Thanks for being open about vulnerabilities with your system and publishing the fixes. FeedBurner is the best!
Off Topic - but congrats on feed #1 million!
I'm really thankful that I switched to FB as I get ready to move my blog hosting - my feeds remain unaffected since I use FB :)
I also want to say thanks for updating so fast.
But...
Can you please add feedsmith to the wordpress plugins directory? That way WP 2.3 would tell me automatically when an upgrade was released.
It was a lucky chance I visited the site today and noticed the upgrade.
(If it is already there, my apologies. The automatic update alert certainly didn't appear for me.)
