WordPress shuts door on new PHP attack vector

WordPress shuts door on new PHP attack vector

Summary: The WordPress patching hamster wheel keeps on rolling and rolling.According to an advisory from maintainers of the open-source blog software, WordPress 2.

SHARE:

WordPress shuts door on new PHP attack vectorThe WordPress patching hamster wheel keeps on rolling and rolling.

According to an advisory from maintainers of the open-source blog software, WordPress 2.6.2 was released on September 8 to mitigate a new attack vector discovered by PHP security guru Stefan Esser.

From the announcement:

  • Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().  With his help we worked around these problems and are now releasing WordPress 2.6.2.  If you allow open registration on your blog, you should definitely upgrade.  With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user's password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit.  However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.

[ SEE: Flaw trifecta kicks off Month of PHP bugs ]

WordPress developers said the attack is difficult to accomplish but, because of the associated risk, the patch is being released.

It's important to note that other PHP applications are vulnerable to this class of attack.

Topics: Software Development, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Hopefully this fixes the the problems we've seen with hacked WP sites

    Last spring I discovered that one of our public blogsite servers was under attack by hundreds of compromised WordPress servers. While our security layers have learned to detect and deflect these attacks, there has been no sign of the problem with the WordPress servers being addressed.

    I wrote about this problem here:

    Compromised WordPress Blogs Become an Army of Hacker Zombies
    http://faseidl.com/public/item/200919
    faseidl
  • What wordpress version is ZDNet on Ryan?

    nt
    D T Schmitz
  • RE: WordPress shuts door on new PHP attack vector

    We run a heavily modified version (for instance this comment system is not from Wordpress), so version in our case is not really meaningful.
    JFPSF