来自:venturebeat,译文版权所有。
无处不在的博客服务WordPress已经发布了一个关键的安全版本以修复漏洞,此漏洞可能已影响数以百万计的网站安全。
“WordPress4.2.2和早期版本受一个极重要的跨站脚本漏洞的影响,这可能允许匿名用户破坏一个网站,“Wordpresser加里在博客中解释。跨站脚本,或者XSS,是开放目标(即网站)受攻击的Web应用代码漏洞,同时它也是黑客最常使用的管道之一。
这些漏洞的代码,黑客能够嵌入恶意HTML,Flash,JavaScript,和其他代码“戏弄”用户在他们的计算机上执行一个脚本。这可能会导致用户数据的采集,包括存储在机器上的cookies。
好消息是,一位WordPress用户私下地报告这个漏洞,让社会来解决这个问题,从而没有导致其成为公共事件。然而,漏洞修复需要用户升级到4.2.3版本,这在WordPress的主仪表盘是很容易做的。
WordPress也利用这个机会介绍其他一些bug修复。
WordPress issues critical security release to fix vulnerability that could’ve exposed websites to hackers
Ubiquitous blogging service WordPress has issued a critical security release to fix a vulnerability that could’ve compromised the security of millions of websites.
“WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site,” explained WordPresser Gary Pendergast in a blog post.Cross-site scripting, or XSS, is a vulnerability in the code of Web applications that opens up the target (i.e. website) to attacks, and it’s one of the most common conduits used by hackers.
With these vulnerabilities in the code, hackers are able to embed malicious HTML, Flash, JavaScript, and other code to “fool” the user into executing a script on their computer. This can lead to the collection of user data, including cookies stored on the machine.
The good news is, a WordPress user reported the vulnerability privately, allowing the community to fix the issue without it becoming public knowledge. However, the fix does require users to upgrade to version 4.2.3, which is easy enough to do from within the main WordPress dashboard.
WordPress has also taken this opportunity to introduce a handful of other bug fixes.
附,Release和Debug的区别:
Debug通常称为调试版本,它包含调试信息,并且不作任何优化,便于程序员调试程序。Release称为发布版本,它往往是进行了各种优化,使得程序在代码大小和运行速度上都是最优的,以便用户很好地使用。
增长知识了