Another bug in the Wordpress platform was discovered yesterday. This time the vulnerabilities exist in the XMLRPC and Pingback
implementation that are included with Wordpress.

The advisory says that WordPress does not sanitize the sourceURI before passing it to wp_remote_fopen(); and this makes it possible to specify non-HTTP resources to be read such as local files or ftp sources. In particular, a malicious user can determine whether certain files exist on the local file system.
(more…)

This time the exploit uses global variables in “/wp-trackback.php”. The exploit can be used only if the “register_globals” variable on the host PHP server is on (e.g. “/etc/php.ini” has “register globals=on”) and the Trackbacks on the Wordpress<=2.0.6 are enabled.

On success, the expoit gets the hash password of admin user.
(more…)

The author claims that the web-site is 18.939 kilometers high (that’s about 11.769 miles), and the highest “div” element of the world is defined like that:

div#whws {
  font-size: 100cm;
  height: 18939em;
  line-height: 1.0;
}

And here’s the address - http://worlds-highest-website.com