The Register® — Biting the hand that feeds IT

Feeds

WordPress bug resets admin password

This story was updated to correct details of the bug. It allows attackers to reset passwords, but not take over accounts. Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers reset the administrator password. The bug in version 2.8.3 is trivial to …

This topic is closed for new posts.
Anonymous Coward
Pirate

It's Not A Takover. It's An Annoyance.

Sk1dd3s can force a password reset on the admin account.

They can't actually take the blog over, just make it a pain to access.

I'll wait until the "less panicked" release comes out...

Subhi Hashwa
Thumb Up

New version is out

2.8.4 is now out to address this issue specifically.

http://wordpress.org/development/2009/08/2-8-4-security-release/

& to download new version

http://wordpress.org/wordpress-2.8.4.zip

Chris Hills
Dead Vulture

Actually

Sorry Reg, this does not allow someone to take over a blog, it merely allows the administrator password to be reset, which is just an annoyance. To take over the blog the attacker would also have to have control of the email account to which the password reset mail is sent.

Anonymous Coward
Anonymous Coward

Article is wrong.

You can cause a password reset for the administrator which results in the password being reset and the administrator being sent an email with the new password. Unless the attacker has access to the admin's email 9in which case they could do a normal password reset anyways) this isn't an issue. Why this is a problem is if people continually reset a blogs password they can effectively lock the administrator out.

borat

Not as bad as it seems...

The bad guy can only reset the admin password, not get full access to the admin account.

Errata published here: http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070139.html

I know it's still bad, but not quite as "train smash" as first thought.

Anonymous Coward
Stop

What's the admin's name?

Unless they have that then its not going to help them, and has been pointed out it only allows them to force a reset on the password, it doesn't give them access to the account due to the two part process needed to reset a password on WordPress.

And its fixed already and WP (and WPMU) have update checking in them so people will start to get notifications that they need to upgrade.

So not the huge disaster you tried to paint it as.

Anonymous Coward
Pirate

So that's how the ZF0 guy did it.

Ta-daa! Teh mystery is revealed.

This topic is closed for new posts.