back to article WordPress bug resets admin password

This story was updated to correct details of the bug. It allows attackers to reset passwords, but not take over accounts. Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers reset the administrator password. The bug in version 2.8.3 is trivial to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Pirate

    It's Not A Takover. It's An Annoyance.

    Sk1dd3s can force a password reset on the admin account.

    They can't actually take the blog over, just make it a pain to access.

    I'll wait until the "less panicked" release comes out...

  2. Subhi Hashwa
    Thumb Up

    New version is out

    2.8.4 is now out to address this issue specifically.

    http://wordpress.org/development/2009/08/2-8-4-security-release/

    & to download new version

    http://wordpress.org/wordpress-2.8.4.zip

  3. Chris Hills
    Dead Vulture

    Actually

    Sorry Reg, this does not allow someone to take over a blog, it merely allows the administrator password to be reset, which is just an annoyance. To take over the blog the attacker would also have to have control of the email account to which the password reset mail is sent.

  4. Anonymous Coward
    Anonymous Coward

    Article is wrong.

    You can cause a password reset for the administrator which results in the password being reset and the administrator being sent an email with the new password. Unless the attacker has access to the admin's email 9in which case they could do a normal password reset anyways) this isn't an issue. Why this is a problem is if people continually reset a blogs password they can effectively lock the administrator out.

  5. borat

    Not as bad as it seems...

    The bad guy can only reset the admin password, not get full access to the admin account.

    Errata published here: http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070139.html

    I know it's still bad, but not quite as "train smash" as first thought.

  6. Anonymous Coward
    Stop

    What's the admin's name?

    Unless they have that then its not going to help them, and has been pointed out it only allows them to force a reset on the password, it doesn't give them access to the account due to the two part process needed to reset a password on WordPress.

    And its fixed already and WP (and WPMU) have update checking in them so people will start to get notifications that they need to upgrade.

    So not the huge disaster you tried to paint it as.

  7. Anonymous Coward
    Pirate

    So that's how the ZF0 guy did it.

    Ta-daa! Teh mystery is revealed.

This topic is closed for new posts.

Other stories you might like