I logged in to my mail today and found a dozen notifications of new user registrations — I have things set up so that I get an email whenever anybody registers an account on this site. While its exciting to see so many subscribers actually taking the time to register on my site, I was suspicious from the get-go. Call me paranoid, but read on.
I opened the emails up and saw that all of them had weird usernames and email addresses (I won’t post what they were as they could be used to cause damage elsewhere). My geek-sense tingled and alarm bells went off, so I quickly logged in here to see if everything was alright. All was well except that there was an update to Wordpress (2.6.2) available. I checked the release notes and, you guessed it, there was mention of an “exploit” that allowed an attacker using specially crafted usernames (and email addresses I assume) to change another user’s password (presumably mine) to a randomly generated one. This can only happen if you allow visitors to register an account on your Wordpress blog.
Because the new password is random, the attacker doesn’t know it — that’s why, as the release notes say, this isn’t much more than a nuisance in that it doesn’t give the attacker access to the account. However, grouped with a weakness in the mt_rand() function, an attacker could potentially guess the new randomly generated password.
The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
– Wordpress development blog
So if you’re using Wordpress version 2.6.1 and allow open user registrations, you should definitely upgrade as soon as possible. Get the latest version, or if you’re like me, you can use the Wordpress Automatic Upgrade plugin, which works like a charm.
No responses so far ↓
There are no comments yet... Kick things off by filling out the form below.
Leave a Comment