WordPress bug resets admin password
This story was updated to correct details of the bug. It allows attackers to reset passwords, but not take over accounts. Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers reset the administrator password. The bug in version 2.8.3 is trivial to …
Sk1dd3s can force a password reset on the admin account.
They can't actually take the blog over, just make it a pain to access.
I'll wait until the "less panicked" release comes out...
2.8.4 is now out to address this issue specifically.
http://wordpress.org/development/2009/08/2-8-4-security-release/
& to download new version
http://wordpress.org/wordpress-2.8.4.zip
Sorry Reg, this does not allow someone to take over a blog, it merely allows the administrator password to be reset, which is just an annoyance. To take over the blog the attacker would also have to have control of the email account to which the password reset mail is sent.
You can cause a password reset for the administrator which results in the password being reset and the administrator being sent an email with the new password. Unless the attacker has access to the admin's email 9in which case they could do a normal password reset anyways) this isn't an issue. Why this is a problem is if people continually reset a blogs password they can effectively lock the administrator out.
The bad guy can only reset the admin password, not get full access to the admin account.
Errata published here: http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070139.html
I know it's still bad, but not quite as "train smash" as first thought.
Unless they have that then its not going to help them, and has been pointed out it only allows them to force a reset on the password, it doesn't give them access to the account due to the two part process needed to reset a password on WordPress.
And its fixed already and WP (and WPMU) have update checking in them so people will start to get notifications that they need to upgrade.
So not the huge disaster you tried to paint it as.
Ta-daa! Teh mystery is revealed.
Sign up, sign up for The Register's weekly IT security newsletter - click here
