August 12, 2009

WordPress issues new version, closes password flaw

WordPress, the popular blogging software platform, has been updated to fix a flaw that could have enabled a hacker to change an administrator password.

The bug enables a specially crafted URL to evade a password reset security verification check, Matt Mullenweg, founding developer of WordPress, said Wednesday on the organization's blog.

“As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner," he said.

While annoying, the flaw would not permit a hacker to remotely access the blog's back-end -- unless they had access to the admin's email account to retrieve the password.

Considering its large code base, which could contain a variety of vulnerabilities, this was a relatively mild incident, Maxim Weinstein, manager of StopBadware.org at the Berkman Center for Internet and Society at Harvard University, told SCMagazineUS.com Wednesday

“Unlike previous vulnerabilities that essentially enabled modification of contents, this one did not seem quite as bad,” he said. “There have been vulnerabilities in WordPress that have let people exploit those vulnerabilities to inject new content or execute code at the server level, sometimes used to create drive-by downloads.”

WordPress does a credible job of responding to reported vulnerabilities and patching, but users are not always as vigilant, Weinstein said.

“WordPress has streamlined the update process,” he said. “The problem is that users do not always know that they have to keep updated"

In light of the sizeable target, hackers are unlikely to scale back on efforts to compromise the software platform.

“This should serve as notification to WordPress developers that security has to be front of mind with every bit of code they write,” Weinstein said. “They need to find ways to integrate security into all their development and testing processes.”

The newest WordPress version, 2.8.4, is available for download here. Just last week, WordPress had issued a new version to close a number of other vulnerabilities.

 

Related Articles
Related Topics
Related Links
close

Next Article in News

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.