WordPress 2.6.2 Mandatory Upgrade for blogs with open registration

by Shanker Bakshi on September 9, 2008

If you allow your reader for open registration on your blog then you must upgrade your blog to WordPress 2.6.2. From security point of view it’s mandatory to upgrade WP to next level Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit.  However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.



Google Buzz
Related Posts with Thumbnails

Related Posts

{ 5 comments… read them below or add one }

Paul U September 10, 2008 at 12:02 am

I just created a post about this new update from Wordpress.

Paul Us last blog post..Wordpress 2.6.2 now available

Reply

Marlene September 10, 2008 at 8:16 pm

I had open registration in one of my blogs but I disabled it now. It’s WP 2.6. But I opened it only for my friend to register as a contributor.

Reply

ZK@WebTrafficROI September 11, 2008 at 4:03 pm

Wordpress is comming out with too many upgrades too fast

ZK@WebTrafficROIs last blog post..4 Tips to write effective Title Tags to increase conversions

Reply

Shanker Bakshi September 12, 2008 at 5:39 am

This was critical from security point of view, so as soon as they realize the vulnerability they come up with a solution in 2.6.2

Reply

Myers Briggs September 17, 2008 at 6:08 am

Woah, this is the first time I’ve read about this. I typically avoid upgrading for a long time…basically until a cool new plugin comes around but I’ll have to upgrade now.

Reply

Leave a Comment

Previous post:

Next post: