This story was updated to correct details of the bug. It allows attackers to reset passwords, but not take over accounts. Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers reset the administrator password. The bug in version 2.8.3 is trivial to …
It's Not A Takover. It's An Annoyance.
Sk1dd3s can force a password reset on the admin account.
They can't actually take the blog over, just make it a pain to access.
I'll wait until the "less panicked" release comes out...
New version is out
2.8.4 is now out to address this issue specifically.
& to download new version
Sorry Reg, this does not allow someone to take over a blog, it merely allows the administrator password to be reset, which is just an annoyance. To take over the blog the attacker would also have to have control of the email account to which the password reset mail is sent.
Article is wrong.
You can cause a password reset for the administrator which results in the password being reset and the administrator being sent an email with the new password. Unless the attacker has access to the admin's email 9in which case they could do a normal password reset anyways) this isn't an issue. Why this is a problem is if people continually reset a blogs password they can effectively lock the administrator out.
Not as bad as it seems...
The bad guy can only reset the admin password, not get full access to the admin account.
Errata published here: http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070139.html
I know it's still bad, but not quite as "train smash" as first thought.
What's the admin's name?
Unless they have that then its not going to help them, and has been pointed out it only allows them to force a reset on the password, it doesn't give them access to the account due to the two part process needed to reset a password on WordPress.
And its fixed already and WP (and WPMU) have update checking in them so people will start to get notifications that they need to upgrade.
So not the huge disaster you tried to paint it as.
So that's how the ZF0 guy did it.
Ta-daa! Teh mystery is revealed.
- Review Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
- MEN WANTED to satisfy town full of yearning BRAZILIAN HOTNESS
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Apple tried to get a ban on Galaxy, judge said: NO, NO, NO