WordPress 2.6.2 – Important Security Fix
Well What do you know, there is another release of WordPress. And a crucial one that should upgrade to as soon as possible. I have already upgraded my site, and I recommend you guys to do the same. Recently, Stefan Esser warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().
It is mainly geared towards users who have open registration enabled because WP 2.6.1 and earlier versions allow you to craft a username so it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, but it is still annoying to know that someone can do this, so it was more of annoyance rather than a security exploit.
Even though it wasn’t a security exploit, it can lead to many breakthroughs. So simply by seeding random numbers mt_rand(), attacker could predict the randomly generated password (so the formula how random number generates). While the attack is difficult to accomplish, and most people don’t know how to do it. But there is a possibility. And when there is, you know not to take risks. So upgrade to wordpress 2.6.2. Thanks to Stefan because with his help WordPress team was able to fix the issue. He will be releasing the complete attack details soon.
Other PHP applications are also susceptible to this class of attack. To protect all of your applications, get the latest version of Suhosin. If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit. You should still upgrade to 2.6.2 if you allow open user registration so you can prevent the possibility of passwords being guessed by the attacker.
2.6.2 also contains a handful of bug fixes. Check out the full changeset and list of changed files.
Hey, I am Syed Balkhi, The guy who is behind Balkhis Inc. I entered the industry back in 2002 not knowing a single thing. I barely spoke English at that time. In the past six years, my language barrier has been eliminated. Aside from English, now I also speak html, and php. Along with the languages I have also managed to master a few arts. Art of web-designing started when I first entered. Messing around with photoshop, I learned how to create my first web design. Now I founded a web designing firm Uzzz Productions. After running numerous amount of websites in various niche, I have mastered the art of web-development. Now I am compiling a resource of what I already know, and what I am learning on this blog. This resource is to help me if I ever need a guide to look back to, and it is help my fellow webmasters.
Going to upgrade ASAP. I just hope the plugins stay compatible….
Thanks for that timely reminder about WordPress’s 2.6.2 update I keep meaning to get around to it and by all accounts it is an important one from the security angle.
Thanks Balkhis, I have understood that all too well…
Argh – I am getting sick of all these upgrades – it seems like there’s a new one every week
I guess it’s for the better though – just gotta motivate myself to sit down and do it
hehe yeah it is annoying. I am already on wp 2.7
I’ve got remember to upgrade my blogs! I haven’t even upgraded to 2.6.1!
Eeek. Thanks for explaining the features of it so well
I upgraded, when I saw it in the admin panel, that’s a crazy exploit though, glad we have folks out here looking for them.
hehe yeah I am on 2.7 will show you sneak peaks sometime.
What the crap! You on the development team or something? What did they change? I need that private session man!
They revamped the look of the admin panel again…
Ahh man, did they add drop down menus? I’m not sure what else they could change…but…I need that exclusive peek man
Here you go/a>.. Read that post all sneak peaks there
[...] is wrong with you Balkhis, two wordpress posts in a week? Well, I wrote to inform my readers about wordpress 2.6.2 because I know a lot of you were using that version. Because that is the most stable release at [...]
yep – upgraded to this one as soon as I saw its release.