WordPress 2.6.2 Mandatory Upgrade for blogs with open registration
September 9, 2008 by Shanker Bakshi
Filed under Blogging, Blogging Resource
If you allow your reader for open registration on your blog then you must upgrade your blog to WordPress 2.6.2. From security point of view it’s mandatory to upgrade WP to next level Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
subscribe to Shanker Bakshi dot Com
Loading ...
I just created a post about this new update from Wordpress.
Paul Us last blog post..Wordpress 2.6.2 now available
Reply
I had open registration in one of my blogs but I disabled it now. It’s WP 2.6. But I opened it only for my friend to register as a contributor.
Reply
Wordpress is comming out with too many upgrades too fast
ZK@WebTrafficROIs last blog post..4 Tips to write effective Title Tags to increase conversions
Reply
Shanker Bakshi Reply:
September 12th, 2008 at 5:39 am
This was critical from security point of view, so as soon as they realize the vulnerability they come up with a solution in 2.6.2
Reply
Woah, this is the first time I’ve read about this. I typically avoid upgrading for a long time…basically until a cool new plugin comes around but I’ll have to upgrade now.
Reply