After the wp-admin/templates.php exploit, its now the turn of the /wp-trackback.php file to be exploited! Rgod has released a new exploit for Wordpress 2.0.6 and previous.

The exploit uses global variables in “/wp-trackback.php”. The exploit can be used only if the “register_globals” variable on the host PHP server is on (e.g. “/etc/php.ini” has “register globals=on”) and the Trackbacks on the Wordpress<=2.0.6 are enabled. On success, the expoit gets the hash password of admin user.

Iff you'd like to defend your blog, check whether the “register_globals” variable on your PHP server is enabled. You can open a SSH session to your server and check this with:
php -i |grep register_globals -i
If the server outputs something like register_globals => Off => Off, then you don’t have to worry about this exploit. If you don’t have a SSH access to your machine, you can check if this variable is switched on by creating for example info.php file on the server pasting the following line on it: 

Then make a request to this file from your browser: http://yourhost/info.php, and look for the variable “register_globals”.

If the “register_globals” variable is On, this means that all arguments that are passed through GET and POST methods to all of your .php scripts are automatically becoming variables that can be used in the scripts - the fact is used in this exploit.

For whatever reason, if you cannot disable this setting on the PHP server, the only thing that can save your blog is disabling the trackbacks option found in the “Options/Discussion/ Allow link notifications from other Weblogs (pingbacks and trackbacks)”.

via [Café Sofia]