WordPress 2.6.2 Mandatory Upgrade for blogs with open registration
If you allow your reader for open registration on your blog then you must upgrade your blog to WordPress 2.6.2. From security point of view it’s mandatory to upgrade WP to next level Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
Find out what I am doing right now by following me on Twitter! If you like this post then please consider subscribing to my full feed RSS. You can also subscribe by Email and have new posts sent directly to your inbox.
Loading ...
I just created a post about this new update from Wordpress.
Paul Us last blog post..Wordpress 2.6.2 now available
I had open registration in one of my blogs but I disabled it now. It’s WP 2.6. But I opened it only for my friend to register as a contributor.
Wordpress is comming out with too many upgrades too fast
ZK@WebTrafficROIs last blog post..4 Tips to write effective Title Tags to increase conversions
This was critical from security point of view, so as soon as they realize the vulnerability they come up with a solution in 2.6.2
Woah, this is the first time I’ve read about this. I typically avoid upgrading for a long time…basically until a cool new plugin comes around but I’ll have to upgrade now.