Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The bug enables a specially-crafted URL to evade a password reset security verification check, Matt Mullenweg, founding developer of WordPress, said on the organisation's blog. “As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner," he said.While annoying, the flaw would not permit a hacker to remotely access the blog's back-end -- unless he or she had access to the admin's email account to retrieve the password.Considering the WordPress' large code base, which could contain a variety of vulnerabilities, this was a relatively mild incident, Maxim Weinstein, manager of StopBadware.org at the Berkman Center for Internet and Society at Harvard University, told SCMagazineUS.com.“Unlike previous vulnerabilities that essentially enabled modification of contents, this one did not seem quite as bad,” he said. “There have been vulnerabilities in WordPress that have let people exploit those vulnerabilities to inject new content or execute code at the server level, sometimes used to create drive-by downloads.”WordPress does a credible job of responding to reported vulnerabilities and patching, but users are not always as vigilant, Weinstein said.“WordPress has streamlined the update process,” he said. “The problem is that users do not always know that they have to keep updated" In light of the sizeable target, hackers are unlikely to scale back on efforts to compromise the software platform.“This should serve as notification to WordPress developers that security has to be front of mind with every bit of code they write,” Weinstein said. “They need to find ways to integrate security into all their development and testing processes.”The newest WordPress version, 2.8.4, is available for download here. Just last week, WordPress had issued a new version to close a number of other vulnerabilities. See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.