WordPress: Security Alert

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

http://blogs.zdnet.com/security/?p=4002

Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.

The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.

see http://seclists.org/fulldisclosure/2009/Aug/0113.html for details of it.

IMO, until there is a fix for this, prevent that code from executing in that section, see the second link above for location of code:

case 'resetpss':
case 'rp':

    die ('Due to technical issues with WordPress, please contact the administrator to reset your password.');

.... (the code that is normally in here) ...

   break;

greg's picture

He has: 1,581 posts

Joined: Nov 2005

They've released a fix in 2.8.4

Sign into the dashboard and click update automatically.
http://wordpress.org/development/2009/08/2-8-4-security-release/

I don't think anything malicious could be done from it, it just allowed people to reset your admin password.
So if you have access to the DB that isn't an issue anyway - annoying yes.

Pretty good they fixed it overnight - if only their support form could be half as good as this...

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.